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Abstract. Users wanting to monitor distributed or component-based systems often perceive them as monolithic 
systems which, seen from the outside, exhibit a uniform behaviour as opposed to many components displaying many 
local behaviours that together constitute the system's global behaviour This level of abstraction is often reasonable, 
hiding implementation details from users who may want to specify the system's global behaviour in terms of an UTL 
formula. However, the problem that arises then is how such a specification can actually be monitored in a distributed 
system that has no central data collection point, where all the components' local behaviours are observable. In this 
case, the UTL specification needs to be decomposed into sub-formulae which, in turn, need to be distributed amongst 
the components' locally attached monitors, each of which sees only a distinct part of the global behaviour 
The main contribution of this paper is an algorithm for distributing and monitoring LTL formulae, such that satisfac- 
tion or violation of specifications can be detected by local monitors alone. We present an implementation and show 
that our algorithm introduces only a minimum delay in detecting satisfaction/violation of a specification. Moreover, 
our practical results show that the communication overhead introduced by the local monitors is considerably lower 
than the number of messages that would need to be sent to a central data collection point. 

1 Introduction 

Much work has been done on monitoring systems w.r.t. formal specifications such as linear-time temporal logic (LTL 
[1]) formulae. For this purpose, a system is thought of more or less as a "black box", and some (automatically gen- 
erated) monitor observes its outside visible behaviour in order to determine whether or not the runtime behaviour 
satisfies an LTL formula. Applications include monitoring programs written in Java (cf. [2, 3]) or C (cf. [4]), monitor- 
ing of abstract Web services (cf. [5]), or transactions on typical e-commerce sites (cf. [6]). 

From a system designer's point of view, who defines the overall behaviour that a system has to adhere to, this 
"black box" view is perfectly reasonable. For example, most modern cars have the ability to issue a warning if a 
passenger (including the driver) is not wearing a seat belt after the vehicle has reached a certain speed. One could 
imagine using a monitor to help issue this warning based on the following LTL formalisation, which captures this 
abstract requirement: 

= Gi^speedJow V {{pressure.sensor.l _high seat_belt_l _on) 
A ... 

A {pressure_sensor_nJiigh seat_helt_n_on))^ 

The formula if asserts that, at all times, when the car has reached a certain speed, and the pressure sensor in a seat 
i e [1, 7t] detects that a person is sitting in it (pressure.sensorJ -high), it has to be the case that the corresponding seat 
belt is fastened (seat-beltJ_on). Moreover, one can build a monitor for ip, which receives the respective sensor values 
and is able to assert whether or not these values constitute a violation — but, only if some central component exists in 
the car's network of components, which collects these sensor values and consecutively sends them to the monitor as 
input! In many real-world scenarios, such as the automotive one, this is an unrealistic assumption mainly for economic 
reasons, but also because the communication on a car's bus network has to be kept minimal. Therefore one cannot 
continuously send unnecessary sensor information on a bus that is shared by potentially critical applications where 
low latency is paramount (cf. [7]). In other words, in these scenarios, one has to monitor such a requirement not based 
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on a single behavioural trace, assumed to be collected by some global sensor, but based on the many partial behavioural 
traces of the components which make up the actual system. We refer to this as decentralised LTL monitoring when the 
requirement is given in terms of an LTL formula. 

The main constraint that decentralised LTL monitoring needs to address is the lack of a global sensor and a central 
decision making point asserting whether the system's behaviour has violated or satisfied a specification. We already 
pointed out that, from a practical point of view, a central decision making point (i.e., global sensor) would require all 
the individual components to continuously send events over the network, and thereby negatively affecting the response 
time for other potentially critical apphcations on the network. Moreover from a theoretical point of view, a central 
observer (resp. global sensor) basically resembles the classical LTL monitoring problem, where the decentralised 
nature of the system under scrutiny does not play a role. 

Arguably, there exist a number of real-world component-based applications, where the monitoring of an LTL 
formula can be realised via global sensors and/or central decision making points, e.g., when network latency and 
criticality do not play an important role. However, here we want to focus on those cases where there exists no global 
trace, no central decision making point, and where the goal is to keep the communication, required for monitoring the 
LTL formula, at a minimum. 

In the decentralised setting, we assume that the system under scrutiny consists of a set of n components C = 
{Ci, C2, . . . , C„}, communicating on a synchronous bus, each of which has a local monitor attached to it. The set of 
all events is S = Si \J E2 U . . . U Sn, where Si is the set of events visible to the monitor at component Cj. The 
global LTL formula, on the other hand, is specified over a set of propositions, AP, such that E = 2^^. Moreover, we 
demand for all i,j < n with i ^ j that Si Ci Sj = <l) holds, i.e., events are local w.r.t. the components where they are 
monitored. 

At a first glance, the synchronous bus may seem an overly stringent constraint imposed by our setting. However, it 
is by no means unrealistic, since in many real-world systems, especially critical ones, communication is synchronous. 
For example, the FlexRay bus protocol (cf. [8]) used for safety-critical systems in the automotive domain, allows 
synchronous communication. Similar systems are used in avionics, where synchronous implementations of control 
systems have, arguably, played an even greater role than in the automotive domain due to their deterministic notion of 
concurrency and the strong guarantees one can give concerning their correctness. 

Brief overview of the approach. Let as before Lp be an LTL formula formalising a requirement over the system's 
global behaviour. Then every local monitor. Mi, will at any time, t, monitor its own LTL formula, ^p\, w.r.t. a partial 
behavioural trace, Ui. Let us use Ui{m) to denote the (m + l)-th event in a trace Ui, and u = (wi, M2, . . . , w„) for the 
global trace, obtained by pair- wise parallel composition of the partial traces, each of which at time t is of length t + 1 
(i.e., u = ui(0) U ^2(0) U . . . U u„(0) • • • 'Ui(t) U U2(t) U . . . U Un{t)). Note that from this point forward we will use 
u only when, in a given context, it is important to consider a global trace. However, when the particular type of trace 
(i.e., partial or global) is irrelevant, we will simply use u, Ui, etc. We also shall refer to partial traces as local traces 
due to their locality to a particular monitor in the system. 

The decentralised monitoring algorithm evaluates the global trace u by considering the locally observed traces 
Mi, i e [1, n] in separation. In particular, it exhibits the following properties. 

• If a local monitor yields tp* = _L (resp. ip\ = T) on some component Cj by observing Ui, it implies that uS'^ C 
S'^ \ C{(f) (resp. uI7" C C(lp)) holds where C{(p) is the set of infinite sequences in Z'" described by ip. That is, 
a locally observed violation (resp. satisfaction) is, in fact, a global violation (resp. satisfaction). Or, in other words, 
u is a bad (resp. good) prefix for tp. 

• If the monitored trace u is such that uS" C S'^ \ C{(f) (resp. uI7" C C{(p)), one of the local monitors on 
some component Ci yields ■ = _L (resp. = T), t' > t, for an observation u-, an extension of Uj, the local 
observation of u on C,, because of some latency induced by decentralised monitoring, as we shall see. 

However, in order to allow for the local detection of global violations (and satisfactions), monitors must be able to 
communicate, since their traces are only partial w.r.t. the global behaviour of the system. Therefore, our second im- 
portant objective is to also monitor with minimal communication overhead (in comparison with a centralised solution 
where at any time, t, all n monitors send the observed events to a central decision making point). 

Outline. Section 2 introduces basic notions and notation. LTL monitoring by means of formula rewriting (progression), 
a central concept to our paper, is discussed in Sec. 3. In Sec. 4, we lift this concept to the decentraUsed setting. The 
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Table 1 : LTL semantics over infinite traces 
w'|=p 4^ p £ w{i), for my p € AP 

1= (pi V V52 <^ h= </5l V ^= V?2 

w'- \= (piUip2 -S^ 3fc e [i, oo[. w*" 1= 1^2 A V/ e [i, k[. w' |= ipi 



semantics induced by decentralised LTL monitoring is outlined in Sec. 5, whereas Sec. 6 details on how the local 
monitors operate in this setting and gives a concrete algorithm for this purpose. Experimental results, showing the 
feasibility of our approach, are presented in Sec. 7. Section 8 concludes and gives pointers to some related approaches. 
The proofs for all results claimed in this paper are in Appendix A. 

2 Preliminaries 

The considered architecture. Each component of the system emits events at discrete time instances. An event cr is a 
set of actions denoted by some atomic propositions from the set AP, i.e., a G 2"^^. We denote 2^^ by E and call it 
the alphabet (of system events). 

As our system operates under the perfect synchrony hypothesis (cf. [9]), we assume that its components commu- 
nicate with each other in terms of sending and receiving messages (which, for the purpose of easier presentation, can 
also be encoded by actions) at discrete instances of time, which are represented using identifier t G N-°. Under this 
hypothesis, it is assumed that neither computation nor communication take time. In other words, at each time t, a 
component may receive up to n — 1 messages and dispatch up to 1 message, which in the latter case will always be 
available at the respective recipient of the messages at time t+1. Note that these assumptions extend to the compo- 
nents' monitors, which operate and communicate on the same synchronous bus. The hypothesis of perfect synchrony 
essentially abstracts away implementation details of how long it takes for components or monitors to generate, send, 
or receive messages. As indicated in the introduction, this is a common hypothesis for certain types of systems, which 
can be designed and configured (e.g., by choosing an appropriate duration between time t and t+l)io not violate this 
hypothesis (cf. [9]). 

We use a projection function 77j to restrict atomic propositions or events to the local view of monitor Mj, which 
can only observe those of component Cj. For atomic propositions, Tlj : 2^^ 2^^ and we note APi = ni{AP) 
for i G [1, n]. For events, 77^ : 2^ — > 2^ and we note Ei = for i E [1, n]. We also assume Vz, j < n. i ^ j ^ 

APi n APj = and consequently < n. i ^ j ^ Si Ci Sj =0. Seen over time, each component Cj produces 
a trace of events, also called its behaviour, which for t time steps is encoded as Wj = Ui{0) ■ Wi(l) • • • Ui{t — 1) 
with yt' < t. Ui{t') G Ei. Finite traces over an alphabet E are elements of the set E* and are typically encoded by 
u, u', . . ., whereas infinite traces over E are elements of the set E'^ and are typically encoded by w, w', . . . The set 
of all traces is given by the set E°° = E* U E'^. The set E* \ {e} is noted E~^. The finite or infinite sequence 
is the suffix of the trace w G E°°, starting at time t, i.e., w* = w(t) ■ w{t + 1) • • • . The system's global behaviour, 
u = (mi , M2, - . - , Un) can now be described as a sequence of pair-wise union of the local events in component's traces, 
each of which at time t is of length t+1 i.e., u = 'u(O) • • • u{t). 

Linear Temporal Logic (LTL). We monitor a system w.r.t. a global specification, expressed as an LTL [1] formula, that 
does not state anything about its distribution or the system's architecture. Formulae of LTL can be described using the 
following grammar: (p ::= p \ {(p) \ ^ip \ ip\/ \ l^p \ pUip^ where p G AP. Additionally, we allow the following 
operators, each of which is defined in terms of the above ones: T = p V -^p, _L = -iT, ^px f\p>i = -'(-'<pi V -^pi-i), 
F(p = TU(/3, and G93 = -iF(^(^). The operators typeset in bold are the temporal operators. Formulae without 
temporal operators are called state formulae . We describe the set of all LTL formulae over AP by the set LTL(^P), 
or just LTL when the set of atomic propositions is clear from the context or does not matter. The semantics of LTL [1] 
is defined w.r.t. infinite traces: 
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Definition 1. Let w G and i G N-°. Satisfaction of an LTL formula by w at time i is inductively defined as given 
in Table 1. 

When \= holds, we also write w \= io denote the fact that w is a model for ip. As such, every formula 
e LTL(ylP) describes a set of infinite traces, called its language, and is denoted by C{'p>) C 17". In this paper, a 
language describes desired or undesired system behaviours, formaUsed by an LTL formula. 



3 Monitoring LTL formulae by progression 

Central to our monitoring algorithm is the notion of good and bad prefixes for an LTL formula or, to be more precise, 
for the language it describes: 

Definition 2. Let L C Z"^ be a language. The set of all good prefixes (resp. bad prefixes^ of L is given by good(Z/) 
(resp. bad(-L)j and defined as follows: 

good(L) = {u G r* I M • C L}, bad(L) = {u € E* \ u ■ E'^ C E'^ \L} . 

To further ease presentation, we will shorten gooA{C{'p)) (resp. h'AA{C{ip))) to gooA{^) (resp. bad(!^)). 

Although there exist a myriad of different approaches to monitoring LTL formulae, based on various finite-trace 
semantics (cf. [10]), one valid way of looking at the monitoring problem for some formula ip G LTL is the following: 
The monitoring problem of (/? G LTL is to devise an efficient monitoring algorithm which, in a stepwise manner, 
receives events from a system under scrutiny and states whether or not the trace observed so far constitutes a good or 
a bad prefix of One monitoring approach along those fines is described in [11]. We do not want to reiterate how 
in [11] a monitor is constructed for some LTL formula, but rather review an alternative monitoring procedure based 
on formula rewriting, which is also known as formula progression, or just progression in the domain of planning with 
temporally extended goals (cf. [12]). 

Progression splits a formula into a formula expressing what needs to be satisfied by the current observation and a 
new formula (referred to as ?i future goal or obligation), which has to be satisfied by the trace in the future. As pro- 
gression plays a crucial role in decentralised LTL monitoring, we recall its definition for the full set of LTL operators. 

Definition 3. Let p, p>i,'P>2 € LTL, and a € E be an event. Then, the progression function P : LTL x E ^ LTL is 
inductively defined as follows: 

P{p G AP, a) = T, ifp G CT, _L otherwise , . _ 

P(^iV^2,a)=P(¥>i,a)VP((^2,a) p ''^ - 

P((^iU^2,a) =P(^2,a)VP((^i,a)A<^iU^2 p ,;^ _ p/,, ^^ 

P(F^,a) =P(^,a)VF(^) ^(X^,^)-^ 

Note that monitoring using rewriting with similar rules as above has been described, for example, in [13, 14], although 
not necessarily with the same finite-trace semantics in mind that we are discussing in this paper. Informally, the 
progression function "mimics" the LTL semantics on an event a, as it is stated by the following lemma. 

Lemma 1. Let ip be an UTh formula, a an event and w an infinite trace, we have a ■ w ^ ip w \= P(</5, cr). 
Lemma 2. If P{ip, a) = T, then a G good((p), whereas if P{(p, a) = _L, then a G bad((^). 

Moreover, from Corollary 2 and Definition 2 it follows that if P{<p, a) ^ {T, _L}, then there exist traces w, w' G E", 
such that a ■ w \= (p> and a ■ w' (p hold. Let us now get back to [1 1], which introduces a finite-trace semantics for 
LTL monitoring called LTL3. It is captured by the following definition. 

Definition 4. Let u G E*, the satisfaction relation 0/LTL3, ^3: x LTL ->■ IBs, vi/ith B3 = {T, _L, ?}, is defined 
as 

T ifuG good(</j), 
U'\=3V = { -L ifue bad(<^), 
? otherwise. 
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Based on this definition, it now becomes obvious how progression could serve as a monitoring algorithm for LTL3. 

Theorem 1. Let u = 77,(0) ■ • ■ u{t) G 17+ be a trace, and v G LTL be the verdict, obtained by t + 1 consecutive 
applications of the progression function of (p on u, i.e., v = P{. . . {P{ip,u(0)), . . . ,u{t)))). The following cases 
arise: If v = T, then u ^3 95 = T holds. If v = then u ^3 (p = 1. holds. Otherwise, u ^3 93 — ? holds. 

Note that in comparison with the monitoring procedure for LTL3, described in [11], our algorithm, implied by this 
theorem, has the disadvantage that the formula, which is being progressed, may grow in size relative to the number 
of events. However, in practice, the addition of some practical simpUfication rules to the progression function usually 
prevents this problem from occurring. 



4 Decentralised progression 

Conceptually, a monitor. Mi, attached to component Ci, which observes events over Si C S, is a rewriting engine 
that accepts as input an event a £ Si, and an LTL formula and then applies LTL progression rules. Additionally at 
each time t, in our n-component architecture, a monitor can send a message and receive up to n — 1 messages in order 
to communicate with the other monitors in the system, using the same synchronous bus that the system's components 
communicate on. The purpose of these messages is to send future or even past obligations to other monitors, encoded 
as LTL formulae. In a nutshell, a formula is sent by some monitor Mi, whenever the most urgent outstanding obUgation 
imposed by 7\f, 's current formula at time t, (p*, cannot be checked using events from Si alone. Intuitively, the urgency 
of an obligation is defined by the occurrences (or lack of) certain temporal operators in it. For example, in order to 
satisfy p A Xqf, a trace needs to start with p, followed by a q. Hence, the obligation imposed by the subformula p can 
be thought of as "more urgent" than the one imposed by Xg. A more formal definition is given later in this section. 

When progressing an LTL formula, e.g., in the domain of planning to rewrite a temporally extended LTL goal 
during plan search, the rewriting engine, which implements the progression rules, will progress a state formula p e 
AP, with an event a such thatp ^ a, to ±, i.e., P{p, 0) = ± (see Definition 3). However, doing this in the decentralised 
setting, could lead to wrong results. In other words, we need to make a distinction as to why p ^ a holds locally, 
and then to progress accordingly. Consequently, the progression rule for atomic propositions is simply adapted by 
parameterising it by a local set of atomic propositions APi: 

{T ifpGa, 
± ifp^aApGAPi, (1) 
Xp otherwise, 

where for every w G S'^ and j > 0, we have \= Xcp if and only if w^^^ ^ (p. In other words, X is the dual to 
the X-operator, sometimes referred to as the "previously-operator" in past-time LTL (cf. [15]). To ease presentation, 

m ^™ 

the formula X y> is a short for ' ^ — Our operator is somewhat different to the standard use of X: it can 

XX . . . X 

only precede an atomic proposition or an atomic proposition which is preceded by further X-operators. Hence, the 
restricted use of the X-operator does not give us the full flexibility (or succinctness gains [16]) of past-time LTL. Using 
the X-operator, let us now formally define the urgency of an LTL formula (fi using a pattern matching on ip as follows: 

Definition 5. Let ip be an LTL formula, and Y : LTL — >■ N-*^ be an inductively defined function assigning a level of 
urgency to an LTL formula as follows. 

T[ip) = match ip with 

V (/32 I A V52 -> max(r((^i), T{ip2)) 

I X(^' ^ 1 + r(<^') 

I . ^0 

A formula ip is said to be more urgent than formula tjj, if and only ifT{(p>) > T{tp) holds. A formula ip where 
T{ip) = holds is said to be not urgent. 
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Moreover, the above modification to the progression rules has obviously the desired effect: If p G cr, then nothing 
changes, otherwise if p ^ a, we return in case that the monitor Mj cannot observe p at all, i.e., in case that 
p ^ APi holds. This effectively means, that Mj cannot decide whether or not p occurred, and will therefore turn the 
state formula p into an obligation for some other monitor to evaluate rather than produce a truth-value. Of course, the 
downside of rewriting future goals into past goals that have to be processed further, is that violations or satisfactions 
of a global goal will usually be detected after they have occurred. However, since there is no central observer which 
records all events at the same time, the monitors need to communicate their respective results to other monitors, which, 
on a synchronous bus, occupies one or more time steps, depending on how often a result needs to be passed on until it 
reaches a monitor which is able to actually state a verdict. We shall later give an upper bound on these communication 
times, and show that our decentralised monitoring framework is, in fact, optimal under the given assumptions (see 
Theorem 2). 

Example 1. Let us assume we have a decentralised system consisting of three components. A, B, C, such that APa = 
{a},APB = {6},andAPc' = {c}, and that a global formula = F(aA6Ac) needs to be monitored in a decentralised 
manner. Let us further assume that, initially, (f \ = ip'^ = (pji, = (p. Let a = {a, b} be the system event at time 0; that 
is. Ma (resp. Mb, Mc) observes nA{cr) = {a} (resp. IIb{(t) = {b}, Ucicr) = 0) when a occurs. The rewriting that 
takes place in all three monitors to generate the next local goal formula, using the modified set of rules, and triggered 
by a, is as follows: 

^\ = Piip, {a}, {a}) = P{a, {a}, {a}) A {a}, {a}) A P(c, {a}, {a}) V ^ 

= X6 A Xc V </? 

if], = Pi^, {b}, {b}) = P{a, {b}, {b}) A P{b, {b}, {b}) A P{c, {b}, {b}) V ^ 
= Xa A Xc V 

ifh = P{ip, 0, {c}) = P(a, 0_Jc}) A P{b, 0, {c}) A P{c, 0, {c}) V ^ 
= XaAX.bA±V ip = ip 

But we have yet to define progression for past goals: For this purpose, each monitor has local storage to keep a 
bounded number of past events. The event that occurred at time t — fc is referred as ai—k). On a monitor observing 

Ul 

Si, the progression of a past goal X Lp, at time t>m,\s defined as follows: 

{T if </j = p for somep G n 77i(a-(— m)), 

_L if = p for some p e APi\ ni{a{-m)), (2) 

X™^ cp otherwise, 

where, for i e [1, n], ilj is the projection function associated to each monitor Mj, respectively. Note that since we 
do not allow X for the specification of a global system monitoring property, our definitions will ensure that the local 
monitoring goals, (pi, will never be of the form XXXp, which is equivalent to a future obligation, despite the initial 
X. In fact, our rules ensure that a formula preceded by the X-operator is either an atomic proposition, or an atomic 
proposition which is preceded by one or many X-operators. Hence, in rule (2), we do not need to consider any other 
cases for (p. 

5 Semantics 

In the previous example, we can clearly see that monitors Ma and Mb cannot determine whether or not a, if in- 
terpreted as a trace of length 1, is a good prefix for the global goal formula <p} Monitor Mc on the other hand did 
not observe an action c, and therefore, is the only monitor after time 0, which knows that a is not a good prefix, and 
that, as before, after time 1, </? is the goal that needs to be satisfied by the system under scrutiny. Intuitively, the other 
two monitors know that if their respective past goals were satisfied, then a would be a good prefix, but in order to 
determine this information, they need to send and receive messages to and from each other, containing obUgations, 
i.e., LTL formulae. 

^ Note that C{<fi), being a liveness language [17], does not have any bad prefixes. 
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Before we outline how this is done in our setting, let us discuss the semantics, we obtain from this decentralised 
application of progression. We already said that monitors detect good and bad prefixes for a global formula. In other 
words, if a monitor's progression evaluates to T (resp. ±), then the trace seen so far is a good (resp. bad) prefix, and if 
neither monitor comes to a Boolean truth-value as verdict, we keep monitoring. This latter case indicates that, so far, 
the trace is neither a good nor a bad prefix for the global formula. 

Definition 6. Let C = {Ci, . . . ,Cn} be the set of system components, (p € LTL be a global goal, and M = 
{Ml, . . . , Mn} be the set of component monitors. Further, /ef u = ui(0) U . . . U m„(0) ■ • • U . . . U Un{t) S S* 
be the global behavioural trace of the system, obtained by composition of all local component traces, at time t G N-*^. 
If for some component d, with i < n, containing a local obligation tp*, Mi reports P{'^\, Ui{t),APi) = T (resp. L), 
then u (/? = T (resp. _Lj. Otherwise, we have u = ?. 

By we denote the satisfaction relation on finite traces in the decentralised setting to differentiate it from LTL3 
as well as standard LTL which is defined on infinite traces. Obviously, ^3 and \=d both yield values from the same 
truth-domain. However, the semantics are not equivalent, since the modified progression function used in the above 
definition sometimes rewrites a state formula into an obligation concerning the past rather than returning a verdict. On 
the other hand, in the case of a one-component system (i.e., all propositions of a formula can be observed by a single 
monitor), the definition of \=d matches Theorem 1, in particular because our progression rule (1) is then equivalent 
to the standard case. Monitoring LTL3 with progression becomes a special case of decentralised monitoring, in the 
following sense: 

CoroUary 1. If\M\ = 1, then Vu G E*. Vv? e LTL. u \=3 = u \=d ^. 
6 Communication and decision making 

Let us now describe the communication mechanism that enables local monitors to determine whether a trace is a good 
or a bad prefix. Recall that each monitor only sees a projection of an event to its locally observable set of actions, 
encoded as a set of atomic propositions, respectively. 

Generally, at time t, when receiving an event a, a monitor. Mi, will progress its current obligation, ipl, into 
P{(pl,a, APi), and send the result to another monitor, Mj^i, whenever the most urgent obligation, ip 6 sus(P((/7*, a, 
APij), is such that PT:op{ip) C (APj) holds, where sus(<^) is the set of urgent subformulae of (p and Prop : LTL — >■ 
2"^^ is the function which yields the set of occurring propositions of an LTL formula. 

Definition 7. The function sus : LTL 2^'^^ is inductively defined as follows: 

sus((^) = match (fi with "V ip2 \ fi A (p2 ^ sus((/?i) U sus(<p2) 

I — >■ SUs(ij£>') 

I X(^' ^ {X^'} 

I - ^0 

The set sus(iy9) contains the past sub-formulae of ip, i.e., sub-formulae starting with a future temporal operator are dis- 
carded. It uses the fact that, in decentralised progression, X-operators are only introduced in front of atomic proposi- 
tions. Thus, only the cases mentioned explicitly in the pattern matching need to be considered. Moreover, for formulae 
of the form X(p', i.e., starting with an X-operator, it is not needed to apply sus to cp' because (p' is necessarily of the 
form X p with d> and p G AP, and does not contain more urgent formulae than Xc/^'. 

Note that, if there are several equally urgent obligations for distinct monitors, then Mi sends the formula to only 
one of the corresponding monitors according to a priority order between monitors. Using this order ensures that the 
delay induced by evaluating the global system specification in a decentralised fashion is bounded, as we shall see in 
Theorem 2. For simplicity, in the following, for a set of component monitors Ai = {Mi, . . . , M„} the sending order 
is the natural order on the interval [l,n]. This choice of the local monitor to send the obligation is encoded through the 
function Men : M x 2^^^M. For a monitor e M and a set of atomic propositions AP' e 2^^^, Mon(Mj, AP') 
is the monitor Mj^-^ s.t. jniin is the smallest integer in [1, n] s.t. there is a monitor for an atomic proposition in AP'. 
FormaUy: Mon(Mi'°AP') = jmin = min{j e [l,n] \ {i} \ AP' nAPj ^ 0}. 
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Table 2: Decentralised progression of = F(a A 6 A c) in a 3-component system. 



/: 





1 


1 




cr: 


{a,b} 


{o, 6, c} 


III 





Ma: 


f \ := P{^,a,APA) 
= X6 A Xc V ((9 


:=P{^],A#,cr,APA) 
= X^c V (Kb A Xc V (yj) 


:=P{iplA#,<7,APA) 
= X^bv(KbAX.cVip) 


ip\ :=P{vhA#,cr,APA) 
= X^6V(XbAXcV(/j) 


Mb: 


f], := P{ip,a,APB) 
= Xa A Xc V (fi 


ifil := Piip\A#,a,APB) 
= X^cV (XaAXcVv') 


ipl := P{#,a,APB) 
= # 


<p% :=P(<p\Aif=,a,APB) 


Mc: 


V>h := P{>p,a,APc) 


:=P{v,<y: APc) 
= X.a AKbV (fi 


:= P(ipl A ifl A #,cr, APc) 
= X.^a AX^bV (fi 


^% := P(#,<7,APc) 
= # 



Once Mj has sent P{ipl,a, APi), it sets (^*^^ = #, where # ^ AP is a special symbol for which we define 
progression by 

P{#,a,APi) = #. (3) 

and G LTL. (p A ^ = (fi. On the other hand, whenever receives a formula, (fij^i, sent from a monitor Af,, it 
will add the new formula to its existing obhgation, i.e., its current obhgation (y?* will be replaced by the conjunction 
<fii A fj^i. Should Mi receive further obligations from other monitors but j, it will add each new obhgation as an 
additional conjunct in the same manner. 

Let us now summarise the above steps in the form of an exphcit algorithm that describes how the local monitors 
operate and make decisions. 

Algorithm L (Local Monitor). Let </? be a global system specification, and M = {Mi, . . . , M„} be the set of 
component monitors. The algorithm Local Monitor, executed on each Mj, returns T (resp. _L), if a \=d v\ (resp. 
(J <)f *) holds, where cr G 17^ is the projection of an event to the observable set of actions of the respective monitor, 

and ifl the monitor's current local obligation. 

LI. [Next goal.] Let t G N-° denote the current time step and be the monitor's current local obligation. If i = 0, 

then set ip\ := 9?. 
L2. [Receive event.] Read next a. 

L3. [Receive messages.] Let {</5j}je[i,n],j5^i be the set of received obhgations at time t from other monitors. Set 

"pI := a Aj6[i,„] j^i ^-j- 
L4. [Progress.] Determine P{(p\, a, APi) and store the result in ipl^^- 
L5. [Evaluate and return.] If (fil^^ = T return T, if (fil^^ = 1- return ±. 

L6. [Communicate.] Set G sus((p*^^) to be the most urgent obligation of (p'j^^- Send (Pi'^^ to monitor Mon(Mj, 
Prop(i/')). 

L7. [Replace goal.] If in step L6 a message was sent at all, set ifl^^ := #. Then go back to step LI. □ 

The input to the algorithm, a, will usually resemble the latest observation in a consecutively growing trace, Ui = 
Wi(0) • • • Ui{t), i.e., a = Ui{t). We then have that a \=d (i.e., the algorithm returns T) implies that u\=d holds 
(resp. for u </?*)• 

Example 2. To see how this algorithm works, let us continue the decentralised monitoring process initiated in Exam- 
ple 1 . Table 2 shows how the situation evolves for all three monitors, when the global LTL specification in question is 
F(a f\h Ac) and the ordering between components is, A < B < C. An evolution of M^'s local obligation, encoded 
as P{(p^ A ^,a, APa) (see cell Ma at t — 1) indicates that communication between the monitors has occurred: 
Mb sent its obligation to Ma, at the end of step 0. Likewise for the other obligations and monitors. The interesting 
situations are marked in grey: In particular at f = 0, Mc is the only monitor who knows for sure that, so far, no good 
nor bad prefix occurred (see grey cell at t = 0). At t = 1, we have the desired situation a — {a, b, c}, but because 
none of the monitors can see the other monitors' events, it takes another two rounds of communication until both Ma 
and Mb detect that, indeed, the global obligation had been satisfied at i = 1 (see grey cell at f = 3). 
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This example highlights a worst case delay between the occurrence and the detection of a good (resp. bad) trace 
by a good (resp. bad) prefix, caused by the time it takes for the monitors to communicate obhgations to each other. 
This delay directly depends on the number of monitors in the system, and is also the upper bound for the number of 
past events each monitor needs to store locally in order to be able to progress all occurring past obhgations: 

Theorem 2. Let, for any p G AP, X™p be a local obligation obtained by Algorithm L executed on some monitor 
Mi G M. At any time t G m < min(|A1|,t + 1). 

Proof. We provide below a sketch of the proof explaining the intuition on the theorem. The formal proof can be found 
in Appendix A.3. 

Recall that X-operators are only introduced directly in front of atomic propositions according to rule (1) when 
Mi rewrites a propositional formula p with p ^ APi. Further X-operators can only be added according to rule 

(2) when Mi is unable to evaluate an obligation of the form X p. The interesting situation occurs when a monitor 
Mi maintains a set of urgent obligations of the form {X pi, . . . , X"*}?;} with h,j G N-", then, according to step 
L6 of Algorithm L, Mi will transmit the obligations to one monitor only thereby adding one additional X-operator 
to the remaining obligations: {X p2 - ■ ■ ■ , X"*^ pi}. Obviously, a single monitor cannot have more than \A4\ — 1 
outstanding obligations that need to be sent to the other monitors at any time t. So, the worst case delay is initiated 
during monitoring, if at some time all outstanding obligations of each monitor Mi, i G [1, |A^|], are of the form 
{X]7i, . . . , Xp;} with pi, . . . ,pi ^ APi (i.e., the obligations are all equally urgent), in which case it takes \A4\ — 1 
time steps until the last one has been chosen to be sent to its respective monitor Mj. Using an ordering between 
components ensures here that each set of obhgations will decrease in size after being transmitted once. Finally, a last 

monitor, Mj will receive an obligation of the form x'^'p^ with 1 < k <l and pk G APj. □ 

Consequently, the monitors only need to memorise a bounded history of the trace read so far, i.e., the last \M \ events. 

Example 2 also illustrates the relationship to the LTL3 semantics discussed earlier in Sec. 3. This relationship is 
formalised by the two following theorems stating the "soundness and completeness" of the algorithm. 

Theorems. Letip G LTLandu G S*, thenu \=d f = T/_L =^ u\=3 cp = T/_L, andu \=3 ip = ? ^ u \=d </? = ?. 

In particular, the example shows how the other direction of the theorem does not necessarily hold. Consider the trace 
u = {a, b} ■ {a, b, c}: clearly, u \=3 F(a A & A c) = T, but we have u \=d F{a Ab Ac) = ? in our example. Again, 
this is a direct consequence of the delay introduced in our setting. 

However, Algorithm L detects all verdicts for a specification as if the system was not distributed. 

Theorem 4. Let ip G LTL and u G E*, then u\=3 ip = T/_L 3u' G S* . \u'\ <nAu-u' \=d ip = T /^., where 
n is the number of components in the system. 

7 Experimental results 

DecentMon is an implementation, simulating the above distributed LTL monitoring algorithm in 1,800 LLOC, 
written in the functional programming language OCaml. It can be freely downloaded and run from [18]. The system 
takes as input multiple traces (that can be automatically generated), corresponding to the behaviour of a distributed 
system, and an LTL formula. Then the formula is monitored against the traces in two different modes: a) by merging 
the traces to a single, global trace and then using a "central monitor" for the formula (i.e., all local monitors send their 
respective events to the central monitor who makes the decisions regarding the trace), and b) by using the decentrahsed 
approach introduced in this paper (i.e., each trace is read by a separate monitor). We have evaluated the two different 
monitoring approaches (i.e., centraUsed vs. decentralised) using two different set-ups described in the remainder of 
this section. 

Evaluation of randomly generated formulae. DecentMon randomly generated 1,000 LTL formulae of various sizes 
in the architecture described in Example 1 . How both monitoring approaches compared on these formulae can be 
seen in Table 3. The first columns show the size of the monitored LTL formulae and the underlying alphabet(s) of the 
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Table 3: Benchmarks for randomly generated LTL formulae 





centralised 


decentralised 


diff. ratio 




and Ed 


1 trace] 


#msg. 


trace] 


#msg. 


1 trace 


#msg. 


1 


{a, h, c} {a|6|c} 


1.369 


4.107 


1.634 


0.982 


1.1935 


0.2391 


2 


{a, 6, c} {a b e} 


2.095 


6.285 


2.461 


1.647 


1.1747 


0.262 


3 


{a, 6, c} {a|6|c} 


3.518 


10.554 


4.011 


2.749 


1.1401 


0.2604 


4 


{a, 6, c} {o|6|c} 


5.889 


17.667 


6.4 


4.61 


1.0867 


0.2609 


5 


{a, 6, c} {a|61c} 


9.375 


28.125 


9.935 


7.879 


1.0597 


0.2801 


6 


{a, 6, c} {a|6|c} 


11.808 


35.424 


12.366 


9.912 


1.0472 


0.2798 



Table 4: Benchmarks for LTL specification patterns 





centralised 


decentralised 


dijf. ratio 


pattern 


Ec and Ed 


1 trace 1 


#msg. 


1 trace 


#msg. 


1 trace 


#msg. 




{a,b,c} {a\b\c} 


156.17 


468.51 


156.72 


37.94 


1.0035 


0.0809 


existence 


{a,b,c} {a\b\c} 


189.90 


569.72 


190.42 


44.41 


1.0027 


0.0779 


bounded existence 


{a,b,c} {a\b\c} 


171.72 


515.16 


172.30 


68.72 


1.0033 


0.1334 


universal 


{a,b,c} {a\b\c} 


97.03 


291.09 


97.66 


11.05 


1.0065 


0.0379 




{a,b,c} {a\b\c} 


224.11 


672.33 


224.72 


53.703 


1.0027 


0.0798 


response 


{a, b, c} {a b e} 


636.28 


1,908.86 


636.54 


360.33 


1.0004 


0.1887 


precedence chain 


{a,b,c} {a|b|c} 


200.23 


600.69 


200.76 


62.08 


1.0026 


0.1033 


response chain 


{a,6,c} {a\b\c} 


581.20 


1,743.60 


581.54 


377.64 


1.0005 


0.2165 



monitor(s). Note that our system measures formula size in terms of the operator entailment"* inside it (state formulae 
excluded), e.g., G(a A 6) V Fc is of size 2. The entry |trace| denotes the average length of the traces needed to reach 
a verdict. For example, the last Une in Table 3 says that we monitored 1,000 randomly generated LTL formulae of 
size 6. On average, traces were of length 11.808 when the central monitor came to a verdict, and of length 12.366 
when one of the local monitors came to a verdict. The difference ratio, given in the second last column then shows the 
average delay; that is, on average the traces were 1.0472 times longer in the decentralised setting than the traces in the 
centralised setting. The number of messages, #msg., in the centralised setting, corresponds to the number of events 
sent by the local monitors to the central monitor (i.e., |irace| x \Sd\), and in the decentralised setting to the number of 
obligations transmitted between local monitors. What is striking here is that the amount of communication needed in 
the decentralised setting is ca. only 25% of the communication overhead induced by central monitoring, where local 
monitors need to send each event to a central monitor. 

Evaluation using specification patterns. In order to evaluate our approach also at the hand of realistic LTL specifi- 
cations, we conducted benchmarks using LTL formulae following the well-known LTL specification patterns ([19], 
whereas the actual formulae underlying the patterns are available at this site [20] and recalled in [18]). In this context, 
to randomly generate formulae, we proceeded as follows. For a given specification pattern, we randomly select one of 
the formulae associated to it. Such a formulae is "parametrised" by some atomic propositions. To obtain the randomly 
generated formula, using the distributed alphabet, we randomly instantiate the atomic propositions. 

The results of this test are reported in Table 4: for each kind of pattern (absence, existence, bounded existence, 
universal, precedence, response, precedence chain, response chain, constrained chain), we generated again 1,000 for- 
mulae, monitored over the same architecture as used in Example 1. 

Our practical experiments show that this way of measuring the size of a formula is more representative of how difficult it is to 
progress it in a decentralised manner. 
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Summary. Both benchmarks certainly substantiate that the decentralised monitoring of an LTL formula induces a 
much lower communication overhead compared to a centralised solution. In fact, when considering the more reaUstic 
benchmark using the specification patterns, the communication overhead was significantly lower compared to monitor- 
ing randomly generated formulae. The same is true for the delay: in case of monitoring LTL formulae corresponding to 
specification patterns, the delay is almost negligible; that is, the local monitors detect violation/satisfaction of a mon- 
itored formula at almost the same time as a global monitor with access to all observations at any time. Note that we 
have further benchmarks available on [18] (omitted for space reasons), also to highlight the effect of differently sized 
alphabets and validate the maximal delay (Theorem 2). Note further that in our tests, we have used continuous sim- 
plification of the goal formulae in order to avoid a formula explosion problem caused by rewriting. In DecentMon, 
advanced syntactic simplification rules^ were introduced and sufficient for the purpose of our experiments. 

8 Related work and conclusions 

This work is by no means the first to introduce an approach to monitoring the behaviour of distributed systems. For 
example, [21 J introduced MtTL, a temporal logic for describing properties of asynchronous systems, as well as a 
monitoring procedure that, given a partially ordered execution of a parallel asynchronous system, establishes whether 
or not there exist runs in the execution that violate a given MtTL correctness property. While at first this may seem 
to coincide with the work presented in this paper, there are noteworthy differences: First, many of the problems 
addressed in [21] stem from the fact that the systems to be monitored operate concurrently; that is, create a partially 
ordered set of behaviours. Our application domain are distributed but synchronous systems. Second, we take LTL 
"off-the-shelf"; that is, we do not add modalities to express properties concerning the distributed nature of the system 
under scrutiny. On the contrary, our motivation is to enable users to conceive a possibly distributed system as a single, 
monolithic system by enabUng them to specify properties over the outside visible behaviour only — independent of 
implementation specific-details, such as the number of threads or components — and to automatically "distribute the 
monitoring" process for such properties for them. (Arguably, this also bears the advantage that users do not need to 
learn another formaUsm to express system properties.) Finally, we address the fact that in many distributed systems 
it is not possible to collect a global trace or insert a global decision making point, thereby forcing the automatically 
distributed monitors to communicate. But at the same time we try and keep communication at a minimum; that is, to 
not transmit the occurrence of every single observed event, because many such appUcations would not tolerate this 
kind of overhead. This aspect, on the other hand, does not play a role in [21] where the implementation was tried 
on parallel (Java) programs which are not executed on physically separated CPUs as in our case, and where one can 
collect a set of global behaviours to reason about. 

Other recent works like [22] target physically distributed systems, but do not focus on the communication over- 
head that may be induced by their monitoring. Similarly, this work also mainly addresses the problem of monitoring 
systems which produce partially ordered traces (a la Diekert and Gastin), and introduces abstractions to deal with the 
combinational explosion of these traces. 

To the best of our knowledge, our work is the first to address the problem of automatically distributing LTL 
monitors, and to introduce a decentraUsed monitoring approach that not only avoids a global point of observation or 
any form of central trace collection, but also tries to keep the number of communicated messages between monitors at 
a minimum. What is more, our experimental results show that this approach does not only "work on paper", but that 
it is feasible to be implemented. Indeed, even the expected savings in communication overhead could be observed for 
the set of chosen LTL formulae and the automatically generated traces, when compared to a centralised solution in 
which the local monitors transmit all observed events to a global monitor. 
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A Proofs 

This section contains the proofs of the results stated in this paper. 
A.l Proofs for Section 3 

Proof of Lemma 1. The following inductive proof follows the argument conveyed by Proposition 3 of [12]. For 
completeness sake, here we want to give the complete, formal, detailed proof. 

The lemma is a direct consequence of the semantics of LTL (Definition 1) and the definition of progression 
(Definition 2). Recall that this leimna states that the progression function "mimics" the LTL semantics on some event 
a. 

Proof. We shall prove the following statement: 

v<j e r.Vw € i:".V(^ e ltl. cr-w\=ip^w\= P{<f, a). 

Let us consider an event a E S and an infinite trace w G the proof is done by a structural induction on e LTL. 
Base Case: e {T, _L,p e AP}. 
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- Case Lp — ~V . This case is trivial since, according to the definition of the progression function, Vcr € S. -P(T, a) = 
T. Moreover, according to the LTL semantics of T, £ . w \=T. 

- Case <f = -L. This case is synametrical to the previous one. 

- Case if = p e AP. Recall that, according to the progression function for atomic propositions, we have P{p, a) = 
T if p G a and _L otherwise. 

• Let us suppose that a ■ w \= p. According to the LTL semantics of atomic propositions, it means that p G a, 
and thus P(p, a) = T. And, due to the LTL semantics of T, we have \fw £ 17". w \= T. 

• Let us suppose that w \= P{p, a). Since P{p, a) e {T, _L}, we have necessarily P{p, a) = T. According to 
the progression function, P{p, a) = T amounts to p G a. Using the LTL semantics of atomic propositions, 
we deduce that a -w \= p. 

Induction Case: ip G {^f', (pi V (p2, (fii A (p2, Gip', Fip', X(^', ipiUip2}. Our induction hypothesis states that the 
lemma holds for some formulae (p' ,(pi,(p2 € LTL. 

- Case If = ^ip' . On one hand, using the progression function for -•, we have P{-^(p', a) = -^P{ip' , a). On the other 
hand, using the LTL semantics of operator -i, we have w \= <f <^ w ^ ^(p. Thus, we have a ■ w \= ^ip' iff 
a ■ w ^ ip' iff (induction hypothesis on cp') w ^ -P(<^', cr) iff w \= -^P{ip', a) iff w \= P{^(p' , a). 

- Case ip = (fii W ip2- Recall that, according to the progression function for operator V, we have P{<fi V ip2,cr) = 
P((^i,a) VP(^2,(t). 

• Let us suppose that <j ■ w \= ipi \/ ip2- We distinguish again two sub-cases: fpiV 'pi2 = T or V (/?2 7^ T. 
If V </?2 = T, then this case reduces to the case where ip = T, already treated. If V iyj2 7^ T, it 
means that either a ■ w ^ <pi or a ■ w \= <p>2- Let us treat the case where a ■ w |= <pi (the other case is 
similar). From a ■ w \= (pi, we can apply the induction hypothesis on (pi to obtain w \= P{<pi, a), then, 
w ^ P{ipi,a)V P{ipi,a) = PipiW P2,(t). 

• Let us suppose that w ^ P{fi V (^2,0') = Pifi^cr) V P{'p2,cr). We distinguish again two sub-cases: 
P{<pi V ^52, cr) = T or Pifi V ^2, cr) 7^ T. 

* If P{(pi V iy?2, o") = T, then we again distinguish two sub-cases: 

• If P{(pi,a) = T or P{<P2, cr) = T. Let us treat the case where P{'p\,(j) = T (the other case is 
similar). Applying the induction hypothesis on (fi, we have a ■ w ^ ipi -i;^ w \= P{<pi,a). Then, 
consider w G S'^ , we have a -w \= ^pi, and consequently a ■ w \= ^p\ \/ ^p2. 

■ If P{ipi,a) T and P{ip2,cr) ^ T, then we have P(<pi, u) = -'P{ip2,cr). Applying the induction 
hypothesis on and (/32, we obtain cr-u> ^ <pi <^ cr-u> ^ (^2 • Let us consider u> G E'^.lfa-w ^1^1, 
then we have a ■ w \= (piV (p2- Else (a ■ w ^ (pi), we have a \= (p2, and then a ■ w \= ipi V ip2. 

* If P{ipi V <^2 , o") ^ T, then we have either w \= P{ipi ,(t)otw \= P{<P2, o")- Let us treat the case where 
w [= P((^i , cr) (the other case is similar). From w ^ P{>fii , cr), we can apply the induction hypothesis on 
ipi to obtain a ■ w \= cpi, and thus a ■ w \= (fiV (p2- 

- Case ip = (pi A ip2- This case is similar to the previous one. 

- Case If = Gip'. Recall that, according to the progression function for operator G, P{G(p' , a) = P{(p' , cr) A Gip'. 

• Let us suppose that a ■ w \= Gip'. According to the LTL semantics of operator G, we have Vi G N-°. (cr • 
wY \= ip'. In particular, it implies that (cr • w)° |= ip', i.e., a ■ w \= ip' and Vi G N-°. (cr ■ w^Y \= ip', i.e., 
(cr • = w 1= G93'. Using the induction hypothesis on ip', from a ■ w \= p' , we obtain w |= P{(p', a). As 
expected, according to the LTL semantics of operator A, we have w \= P{Gip', a) A G(p' = P{G(p', a). 

• Let us suppose that w \= P{G(p', a) = P{(p', a) A Gip'. It follows that w \= P{<p>' , cr), and thus, using the 
induction hypothesis on ip' , a ■ w |= (p' . Using the LTL semantics of operator G, from a • w \= ^p' and 
w \= Gip', we deduce Vi G N-°. u;* \= tp' , and then Vi G N. (cr • wY \= ^p' , i.e., a -w^ Gtp' . 

- Case ip = F(p'. This case is similar to the previous one. 

- Case ip = "Kip'. On one hand, using the progression function for X, we have Ppi-ip' , a) = ip'. On the other hand, 
using the LTL semantics of operator X, we have a -w \= X.ip' iff w ^ ip'. Thus, we have cr • w ^ Xi^' iff w \^ (p' 
iff (induction hypothesis on ip') w \= P^Xp', cr). 

- Case (p = (piU(p2 ■ Recall that, according to the progression function for operator U, P(</?i Ui^2 , cr) = P(</?2 , cr) V 
(P(v3i,cr) A ipiVip2). 

• Let us suppose that a -w \= (piXJ(p2- According to the LTL semantics of operator U, we have 3i G N-*^. (cr ■ 
wY \= 1^2 A^O < I < i. {a ■ wY \= ipi. Let us distinguish two cases: i = and i > 0. 
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* If i = 0, then we have a ■ w ^ f2- Applying the induction hypothesis on y>2. we have w \= P(v?2, f), 
and consequently w \= P{(fii\J(fi2, o"). 

* Else (i > 0), we have VO < I < i. {a ■ wY \= (fi. Consequently, we have (u • |= ipi, and thus 
(T ■ w ^ (fii. Moreover, from \/0 < I < i. {a ■ u>)' |= (pi, we deduce \/0 < I < i — 1. \= (pi. From 
(c7 • wY 1= (fi2, we deduce |= (fi2- From w^~^ \= (p2 and \/0 < I < i. {a ■ wY \= fi, we deduce 
w \= (piU(p2. Applying, the induction hypothesis on ipi, from a ■ w \= ipi, we obtain w ^ P{(pi,a-). 
Finally, from w ^ (piU(p2 and w \= P{ipi,a), we obtain w \= P{(fiiUip2, cr). 

• Let us suppose that w \= P{(fii\J(p2,cr). 
We distinguish two cases: P(<^iU(/P2, f) = T and P((/?iU<^2, f) ^ T. 

* If P{(pi\J(p2, a) = P((/32, cr) V (P((pi, (t) A (piU(p2) = T. We distinguish again two sub-cases. 

• If P{'fi2, cr) = T or P{(pi,a) A (fii\J(p2 = T. If P{>P2, o") = T, then applying the induction hypoth- 
esis on (p2, we have a-w\=(p2'<^w\=T. Then, from a ■ w \= (p2, we obtain, according to the 
LTL semantics of operator XJ, a ■ w \= ipi\J(p2 - If P(<Pi , cr) A ipiXJip2 = T, we directly deduce that 
(pi\J(p2 = T, and then this case reduces to the case where (p = T, already treated. 

• If P((/72, cr) 7^ T and P{ipi,a) A <^iU(/?2 7^ T, then we have P(<^2, cr) = -'{P{ipi,a) A <^iU<^2) = 
-'P((/5i, (t) V -^{(piXJp2)- Applying the induction hypothesis on (pi and (p2, we have a ■ w \= (pi 4^ 
w \= P{(pi,a), and a ■ w \= (p2 ^ w \= P{'P2, o"), and thus a-w\=(p2'^{(J-w'^(pi\/wY^ 
ipiUip2). Let us now follow the LTL semantics of operator U and consider the two cases: a-w \= ^2 
or a-w ^ p2- If C7 ■ w \= ip2, thus cr ■ w \= pi\Jp2 (according to the LTL semantics of U). Else 
(cr • w ^ (^2), then a ■ w pi and lu [= ipi\Jp2, and thus a ■ w \= (pi\J(p2. 

* If P{(pi'U(p2,cr) ^ T, it means that either w \= P{(p2,cr) or w |= P{<pi, a) A<piU</52- 

• Ifw ^ P(992, o"), then applying the inductionhypothesis on (^2, we have cr-w |= 1^2- Then, following 
the LTL semantics of operator U, we obtain a ■ w ^ (pi\J(p2- 

• If ui ^ P{pi,a) A pi'{J(p2, then we have w \= P{ipi,a) and w ^ (piU(p2- Applying the induction 
hypothesis on ipi, we have a ■ w \= (pi. From w \= (piXJ(p2, we have 3i e N^". w' |= 992 A VO < Z < 
i. \= 'Pi- It implies that (cr • wY^-^ \= (p2 and VO < I < i + 1. {a - wY \= 'Pi- Using, a - w\= pi, 
i.e., (cr ■ \= ipi and the LTL semantics of operator U, we finally obtain u -w\= ip\\5'p2- 

□ 

Proof of Lemma 2. We shall prove the following statement. 

Vi^ G LTLMa e E. P{p, a) = T e good(^) 
A P{ip, cr) = _L =^ cr e bad(iyj). 

The proof uses the definition of the LTL semantics (Definition 1), the definition of good and bad prefixes (Definition 2), 

the progression function (Definition 3), and Lemma 1 . 

Proof. According to Lemma 1, we have Vcr e S.^w £ 17". a-w \= ip w \= P{p,a). Consequently, we have 
Vcr e S.Vw GZ'^.a-w\=p<^\/ae SMw e T'^. w h and Vcr € EMw & S'^ . a - w (p ^ 

\/a G S.yw G r". w ^ P{p,a). Consequently, when P{p,a) = T, we have Vcr G E.Ww G E'^. a - w ip, i.e., 
cr G good((/?). Similarly, when P((/?, a) = _L, we have Vcr G i7.Vui G a - w ^ ip, i.e., cr G bad((/3). 

The proof can also be obtained in a more detailed manner as shown below. Let us consider a £ S and (p G LTL. 
The proof is performed by a structural induction on tp. 

Base Case: <p € {T,±,p€ AP}. 

- Case (f = T.ln this case, the proof is trivial since P(T, cr) = T and, according to the LTL semantics of T and 
the definition of good prefixes, good(T) = E*. 

- Case (p = -L. Similarly, in this case, the proof is trivial since P(-L, a) = 1. and bad(±) = E*. 

- Case ip=pe AP. 

Let us suppose that P{p, a) = T. According to the progression function, it means that p <E a. Moreover, since 
p = p, according to the LTL semantics of atomic propositions, for any w G E'^, we have a - w \= ip. According 
to the definition of good prefixes, it means that a G good(i^). 
The proof for P{p, ct) = _L =^ ct G bad(i^) is similar. 
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Induction Case: e {^</?', ^px \l ^pi.^x A 952, G(/?', F<^', X(p', <^iU(^2}' Our induction hypothesis states that the 
lemma holds for some formulae ip' , 951, 952 £ LTL. 

- Case if = In this case, the result is obtained by using the induction hypothesis on ip' and the equahty's 

± = -iT and -^{-^^) — 

- Case <p = V (^2 • Recall that, according to the progression function for operator V, P{'Pi V (^2 , c) = P{'fi , f) V 

Let us suppose that P{(p, cr) = T. We distinguish two cases: 

• If P{(pi , cr) = T 01 P{(p2, (j) = T. Let us treat the case where P{(pi,<T) = T. Using the induction hypothesis 
on (fii, we have a € good(i^i). According to the definition of good prefixes, we have G S'^. a ■ w \= <fi. 
We easily deduce, using the LTL semantics of operator V, that Vw e 17". a ■ w \= <fi\/ (^2, that is, a e 
good((/?i V ip2)- 

• If P((^i, cr) ^ T and P{(p2, f) 7^ T. Since P{<f, a) = T, we have P{ipi,a) = -iP((p2, o")- Using Lemma 1, 
we have Vw G S". a ■ iv \= <fii w \= P{ipi,a) and Vw € Z"". tr • fz; |= (/72 w |= P{ip2,<T). We deduce 
that Vu> £ . a-'w\=ipi'^a-wY^ 932- Let us consider w G Z"". If (t • w |= (pi, we have cr • w \= (piV ip2. 
Else (cr • w ^ (^1), we have a -w \= (f2, and then a ■ w |= <^2 V <pi. That is, Vw G X"^. a • ti; |= V <^2, i.e., 
a G good(<^i V 932). 

Let us suppose that P{(p, cr) = ±. In this case, we have P{'-pi, cr) = ± and P{(p2, cr) = _L. Similarly, we can 
apply the induction hypothesis on (pi and <^2 to find that a is bad prefix of both ipi and ip2, and is thus a bad prefix 
of V ip2 (using the LTL semantics of operator V). 

- Case ip = (fii A ip2- This case is symmetrical to the previous one. 

- Case (p = Gip'. Recall that, according to the progression function for operator G, P{G(p', a) = P{(p', cr) A G(p'. 
Let us suppose that P(<p, cr) = T. It means that P{<fi', cr) = T and Gip' = T. This case reduces to the case where 

^ = T. 

Let us suppose that P{(p, cr) — _L. We distinguish two cases. 

• If P{(p' , ct) = _L or Gip' — _L. We distinguish again two sub-cases. 

* Sub-case Pif', cr) = -L. Using the induction hypothesis on (fi', we deduce that cr G bad(i^'), i.e., Vw; G 
S". a ■ w ^ ip'. Following the LTL semantics of operator G, we deduce that G S". a ■ w ^ Gip', 
i.e., cr G bad(G(/3'). 

* Sub-case Gip' — _L. This case reduces to the case where (/? = _L. 

• If P(^',ct) 7^ ± and Gip' =^ ±. From P{ip',a) A Gip' = _L, we deduce that P{ip',(j) = -^Gip' . Using 
Lemma 1 on ip' , we have Vu> G . a ■ w \= ip' ^ w \= P{ip' , cr). Thus Vw G S". a ■ w \= ip' 'i^ w ^ Gip'. 
Let us consider w G S'^. If cr • w \= ip', then we have w ^ Gip'. According to the LTL semantics of operator 
G, it means that 3i G N-°. ^ ip'. Thus, still following the LTL semantics of operator G, (cr • w)'+^ ^ ip', 
and, consequently a ■ w Y= Gip' . Else (a ■ w ^ ip'), we have directly a ■ w Y= Gip'. 

- Case ip = Fip'. Recall that, according to the progression function for operator F, P{Fip', a) = P{ip', a) V Fip'. 
Let us suppose that P{ip, cr) = T. We distinguish two cases. 

• If P(y^',cr) = TorFy^' = T. 

* Sub-case P{ip',a) = T. Following the previous reasoning, using the induction hypothesis on ip', the LTL 
semantics of operator F, and the definition of good prefixes, we obtain the expected result. 

* Sub-case Fp' = T. This case reduces to the case where ip = T. 

• If P{ip',a) ^ T and Fip' ^ T. From P{ip',a) V G^' = _L, we deduce that F(<^',cr) = -^Fip' . Using 
Lemma 1 on ip', we have Vw G 17". a ■ w \= ip' 'i;^ w \= P{ip', a). We thus have Vw G S". a ■ w \= ip' ^ 
w Y= Fip'. Let us consider w G S'^. If cr ■ w ^ ip', using the LTL semantics of operator F, we have directly 
a ■ w \= Ftp'. Else (a ■ w ^ ip'), we have w \= Fip' . According to the LTL semantics of operator F, it means 
that 3i G N-". |= p', and thus (cr ■ wy+'^ |= p'. Consequently a ■ w \= Fp'. That is, a G good(Fi^'). 

Let us suppose that P{p. cr) = ±. It means that P{p' , cr) = ± and Fp' = _L. A similar reasoning as the one used 
for the case p = Gp' and P{p, a) — T can be applied to obtain the expected result. 

- Case p = X<^'. Recall that, according to the progression function for operator X, P(X.p' , a) — p'. 

Let us suppose that P{p, cr) = T. It means that p' — T. According to the LTL semantics of T, we have 
Vw G Z"^. w h p'. Then, Vw e S'^.a -w^ Xp' = p. That is, a G good(X(^')- 

Let us suppose that P{p, a) = _L. It means that p' = ±. According to the LTL semantics of _L, we have 
Vw e E'^.w^ p'. Then, ^wG E'^.a-w^ X<^' = p. That is, a G bad(X<^'). 
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- Case ip — (pi\J(p2 ■ Recall that, according to the progression function for operator U, P{(pi U(^2 ) f) = P{(p2 , c) V 

(P((y9l,C7) A iy?lU(/?2)- 

Let us suppose that P{(p, cr) = T. We distinguish two cases. 

• If P((/32, o") = T or P{(pi,a) A (piXJ(p2 = T. 

* Sub-case P{'fi2, cr) = T. Using the induction hypothesis on (f2, we have a G good((p2)- Let us consider 
w G S", we have a ■ w G j0{(p2), i.e., (cr • w)° \= (fi\Jip2. According to the LTL semantics of U, we 
have a ■ w \= (fi y (p2, i.e., a ■ w E C{(pi\JLp2)- We deduce that a G good((^iU(/?2). 

* Sub-case P{<fi , a) A (fii\J(f2 = T. Necessarily, (piU(f2 = T and this case reduces to the first one already 
treated. 

• If P{ip2,o') 7^ T and P((/?i,cr) A (piXJ(p2 7^ T. From P{(piXJ(p2,o') = T, we deduce that P{(p2,o') = 
^{P{(fii,a) A </?iU</?2). Applying Lemma 1 to (p2, we obtain Vw G 17'^. cr • w ^ </?2 '^=> H -P(¥'2, cr). We 
thus have Vw G iT". cr • w ^ 932 w ^ P(</?i, cr) A (/5iU</?2. Let us consider w G Z"^. Let us distinguish 
two cases. If cr ■ u> ^ (^2, according to the LTL semantics of U, we have <t -w \= (piXJ(p2- Else (cr • u> ^ (f2), 
it implies that cr • w |= P{(pi,a) A ipiU(p2, and, in particular cr • w |= ipiU(fi2- That is, in both cases, 
cr G g00d((piU(/?2). 

Additional notation. For the remaining proofs, we define V, the extended progression function on traces that consists 
in applying successively the progression function defined so far to each event in order. 

DeiuiitionS. Given a formula G LTL and a trace u = u{0) ■ ■ ■u{t — 1) G the application of extended 
progression function V to ^ and u is defined as: 



For the sake of readabiUty, in the remainder, we overload the notation of the progression function on events to traces, 
i.e., 'P{ip, u) is denoted P(v, u). 

Some intermediate lemmas. Based on the previous introduced notation and the definition of the progression function 
(Definition 2), we extend the progression function to traces. The following lemma states some equality's that directiy 
follow from an inductive application of the definition of the progression function on events. 

Lemma 3. Given some formulae ip, <pi, (/?2 G LTL, and a trace u G S^, the progression function can he extended to 
the trace u by successively applying the previously defined progression function to each event ofu in order Moreover, 
we have: Vt^, ^\,<p>2 G LTL.Vm G 



P(-.(p,w) = ^P{ip,u), 

P{ipi y(p2,u) = P{ipi,u) V P{(P2,U), 

P{ipi A'P2,y-) = P{pi,u) AP{ip2,u), 
P{Gv,u) ^ ^1:1,' P{p,u^) AG^, 
P(F^,«) = Vli"'P(<P,«^)VF<p, 



Proof. The proof is done by two inductions: an induction on the length of the trace u (which is also the number of 
times the progression function is applied) and a structural induction on G LTL. 
Base Case: u = a & IJ,\u\ = 1. 

In this case, the result holds thanks to the definition of the progression function. 
Induction case: 



V{^, u{0) ■■■u{t- 1)) = V{v, u) = P(. . . (P(<^, u(0)), ...,u{t- 1)))) 



P{T,u) 
P(_L,u) 
P{p G APu) 



T, 

T ifp G m(0), _L otherwise., 
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Let us suppose that the lemma holds for any trace u G 17+ of some length t G N and let us consider the trace 
u - a £ i7+, we perform a structural induction onip € LTL. 
Structural Base case: (p G {T, -L,p £ AP}. 

- Case (/? = T. In this case the result is trivial since we have: 

P(T, u- a) = P{P{T, u),a) (extended progression) 

= P{T, a) (induction hypothesis on u) 

= T (progression on events) 

- Case (f = -L. This case is symmetrical to the previous one. 

- Case If ^ p E AP. Let us distinguish two cases: p G u(0) orp ^ u(0). 

• If p G u{0), we have: 

P{p, u- (j) = P{P{p, u), a) (extended progression) 

= P{T, a) (induction hypothesis on u) 
= T (progression on events) 

• Ifp ^ u{0), we have: 

P{p, u ■ a) — P{P{p, u), a) (extended progression) 

= P(_L, cr) (induction hypothesis on u) 
= _L (progression on events) 

Induction Case: (f G {^<f', V'l V</52, Av52, Gif', Ftp', X(^', <^iU(^2}- Our induction hypothesis states that the lenmia 
holds for some formulae ip' ,(pi,ip2 G LTL. 

- Case ip = -"p'. We have: 

P{-^ip', u- a) = P{P{-^(p', u), a) (extended progression) 

= P{-iP{p', u),a) (induction hypothesis on u and p') 
= —'P{P{p', u), cr) (progression on events) 
= -'P{(p', u ■ a) (extended progression) 

- Case (p = X(p'. We have: 

P(X(p', u- a) — P{P{X.p' , u),(t) (extended progression) 

= P{P{(p', u^),<7) (induction hypothesis on u and y') 
= P{p' ,u^(t) (extended progression) 

= Pif',iu-ay) 

- Case ip — ipi V p2- We have: 

P{(pi V (p2, u- a) = P{P{(pi V (p2, u), a) (extended progression) 

= P{P(pi, u) V P{p2, u), a) (induction hypothesis on u and <^i, (^2) 

= P{P{(pi, u), cr) V P{P{ip2,u), a) (progression on events) 
= P{ipi ,u- a)\/ P{ip2 ,u- cr) (extended progression) 

- Case = </?i A !y£!2- This case is similar to the previous one. 

- Case p = Gp'. We have: 

P{G<p',u-a) 

= P{P{Gp' , m) , cr) (extended progression) 

= -P(A'=cr^ P{'t'' ^ ^ Gp' , a) (induction hypothesis on u and ip') 

= -P(A'=o ^ ^ A P{Gp' , cr) (progression on events for A) 

= Al=cr^ P{P{f', PiG^p', cr) (extended progression for A) 

= Al=(r^ Pi^': • 0") A P{Gip', cr) (extended progression) 

= AfctT^ Pi^'j • cr) A Pi^p', cr) A Gp' (progression on events for G) 

= A1=o P(f'^ • '^y) ^ P(f'^ • f^)'"""'"^) A Gcp' iu'-a={u- af and a = (u • (t)I''-'^I-1) 

= ;^r=o^-'P{^',{u-ay)AGp:' 
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- Case y = F(^'. We have: 

P{Fip',u ■ <t) 

= P{P{Fip' ,u),a) (extended progression) 

= -P(Vl=(7^ Pi^'j V Fip', a) (induction hypothesis on u and ip') 

= -P(Vl=cr^ P{v\ w')) o") V P{Fip', a) (progression on events) 

— V'=(7^ Piv'^ ■ cr) V P{Fip', a) (extended progression for V) 

= Vl=(7^ P{^'i • cr) V a) V Fip' (progression on events for F) 

= Vl=o '"^ ^(^'' • ^)*) V ^((p', (w • ct)!"""!-^) V F(p' (m^ • a = (u • a)^ and a={u- ct)!""^!- 

= V£o'"'^(v',(^-'^)^)VF^' 

- Case (f = <^iU(^2- We have: 

P{(fiiUip2,u- a) 
(extended progression) 

= P{P{^iVip2,u),a) 
(induction hypothesis on u, and structural induction hypothesis on and ^2) 

(progression on events for V) 

= ^(vSo"' (/'(^2,uO A A-Io^(¥'i,«^)),^) VP(ASo"'^'(¥'i,«^) A¥'iU<^2,a) 
(progression on events for A and V) 

= V -=(7' {P{P{V^M), ct) a A;Io PiPi^uU^), ^)) V A1=o"' P{P{ViM), ct) a P{^iU<P2, a) 
(extended progression) 

= Vl=o"' iPi^2,u^ ■ a) A A -=0 ^(¥'1, ■ ^)) V A1=o"' ^(¥'1, u'-c7)A P((piU<p2, t) 

Moreover: 

ASo'' P(<^i, • a) A P(<^iU^2, a) 
(progression on events for U) 

= A1"'o"' P{'Pi,u' ■ 'j) A {P{^2,ct) V Pifua) A v'iU^2) 
(distribution of A over V) 

= ( A 1=0"' P{^i,u' ■ ct) a P(^2, a)) V ( A1^c7' Pi^i^u' ■ ^) A P{^i,'j) A ^iU^2) 
((7 = (u • cr)l"''^l~^ and ehmination of P{ipi,a)) 

= ( Alio"' ^(^1. • ^) A P(<P2, a)) V ( Ato ^('/'i. • A V1UV2) 

Furthermore: 

VSo"' (^(<^2, . a) A A;=o ^(</'i> • '^)) V ( Alio"' PiVuu' . a) A P(^2, a)) 
(variable renaming) 

= vSo"' (^(^2, «^ • a) A a;=o ^(vi, • ^)) V (p(^2, a) A Aiio"' pifi'^' ■ '^)) 

(a= (M-cr)l"-'"|-l) 

- Vllo '"' {PiV2, (u ■ aY) A A -I'o Pivi^n^ ■ a)) V {P{^2, {u ■ A Afco'"' ^(<^i. ' ^ 

= Vto '"' (^'(¥'2, {u ■ aY) A A!Co Pi^U • '^P)) 



Finally: 



P{(piXJ(p2,u ■ a) 

= Vlio"' (^(^2, ■ a) A A;=o ^(^1, • ^)) V ( Alio"' • ^) A P(^2, a)) 

v(A1=o'"'^('/'1:«'-'^)A<PiU^2) 
= Vto '"' (^(^2, • C7) A A;Io Pi^^^^' • '^)) V ( Ato '"' ^(^1, • ^) A ^iU<^2) 
= Vl^o '"' iPi^2, {u ■ aY) A A}=o PiVi, W • ^)^)) 

v(Al=o'"'^('^i-(«-^r)AViU^2) 
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□ 



We introduce another intermediate lemma, which is a consequence of the definition of the LTL semantics (Defini- 
tion 1) and the definition of the progression function (Definition 8). This lemma will be useful in the remaining proofs. 
This lemma states that the progression function "mimics" the semantics of LTL on a trace u G 

Lemma 4. Let ip be an LTL formula, u S a non-empty trace and w € S'^ an infinite trace, we have u ■ w 'f= 
(fi <^ w \= P{(fi,u). 

Proof. We shall prove the following statement: 

Vm G S+.\fw e S'^.\fip e LTL. u-w\=<f^w\= P{<f,u). 

Let us consider u e ^7+, the proof is done by a structural induction onip & LTL. 
Base case: ip e {T, ±,p€ AP}. 

- Case (fi = T. This case is trivial since, using Lemma 3 on T and u, we have P{T, u) = T. Moreover, according 
to the LTL semantics ofT,WwGE'^.u-w\=T. 

- Case ip = -L. This case is symmetrical to the previous one. 

- Case ip = p € AP. 

• Let us suppose that u ■ w \=p.By applying Lemma 3 on T and u, we have P{u,p) = T. Moreover, due to 
the LTL semantics of T, we have Vw € 17". w ^ T = P(u,p). 

• Let us suppose that w \= P{p, u). Since P{p, u) e {T, _L}, we have necessarily P{p, u) = T. According 
to the progression function, P{p, u) = T necessitates that p € u{0). Using the LTL semantics of atomic 
propositions, we deduce that {u ■ w)° \= p, i.e., u - w \= p. 

Induction Case: (p G {^'p\ ^^i V (/92, t/?i A (/?2, G(p', F(p', X(^', <^iUi^2}' Our induction hypothesis states that the 
lemma holds for some formulae ip' ,pi,p2 S LTL. 

- Case (p = (piV (p2. Recall that, by applying Lemma 3 on </ji V ip2 and u, we have Pifi V (p2, u) = P{(pi,u) V 
P{v>2,u). 

• Let us suppose that u ■ w \= p\\J p2- Let us distinguish two cases: p\\J p2 = T and p\\J p2 7^ T. If 
p>\y P2 = T, then this case reduces to the case where = T already treated. If iy?i V 1^2 7^ T, it means 
that either u - w \= ^pxox u - w \= 1^2. Let us treat the case where u ■ w \= (the other case is similar). 
From u ■ w \= pi, we can apply the structural induction hypothesis on pi to obtain w \= P{pi,u), and then, 

W \= P{(pi,u) V P{ip2,u) = P{(pi V ^2,U). 

• Let us suppose that w \= P{<pi V p>2,u). Let us again distinguish two cases. If P{ip\,u) V P{(p2,u) = T, 
then it reduces to the case where p = T already treated. If P{pi, u) V P{p2,u) ^ T, then we have either 
w 1= P{(pi,u) or w 1= P{'P2, u). Let us treat the case where w \= P{(pi,u) (the other case is similar). From 
w \= P{p>\,u), we can apply the structural induction hypothesis on ipi to obtain u- w \= pi, and thus, using 
the LTL semantics of V, u ■ w |= 951 V 952- 

- Case p} = p)\ f\p>2. This case is similar to the previous one. 

- Case p) = Gp)' . Recall that, by applying Lemma 3 on Gp/ and u, we have P(G(p', u) = ASo"^ P{v>', A Gip'. 

• Let us suppose that u ■ w |= Gp'. From the LTL semantics of operator G, we have Vi G N-". {u ■ wY \= pi . 
In particular, it impUes that VO < i < \u\ — \. • w ^ <p' and Vz > 0. ((u • |= p' . Using, 
VO < z < |w| — 1. w' • w 1= and applying the structural induction hypothesis on p' and the Uj's, we obtain 
VO < ?: < \u\-\.w \= P(<^',uO. and thus u> \= A!=o"^ ^('P'. "O- Using Vi > 0. = ((u • w)l"l-i)* \= p' , 
we obtain w \= Gp' . As expected, according to the LTL semantics of A, we 

Gp' = P{Gp',u). 

• Let us suppose that w \= P{Gp', u). We have VO < i < |m| — 1. w |= P{p>', u^) and w \= Gp' . Using the 
structural induction hypothesis on p' and the u*'s, it follows that < i < \u\ — 1. ■ w — {u ■ w)* |= p' . 
Using the semantics of operator G, from w \= Gp' and VO < i < \u\ — l.u^-w = {u- wY \= p' , we deduce 
u- w \= Gp' . 

- Case p) = Fp'. This case is similar to the previous one. 
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- Case i-p = X(/?'. Recall that, by applying Lemma 3 on u and Ji-ip', we have P{'Kip' , u) = P{ip' , ■ a). Using the 
LTL semantics of X, we have u ■ w \= X(^' iff ■ w \= (p' . Thus we have u - w \= iff ■ a ■ w \= ip' iff 
(induction hypothesis on w \= P{(p', ■ a) = P(X.(p', u). 

- Case (p = -^(f'. Recall that, by applying Lemma 3 on u and ^95', we have P{^(p',u) = -^P{(p',u). Using the 
LTL semantics of operator -1, we have V</5 G LTL.V?^ e Z"^. w \^ (p ^ w ^ -k/?. Thus, we have u-w\= -nyj' iff 
u - w ^ iff (induction hypothesis on tp') w y= P{p', u) iff w \= ^P{(p', u) iff w \= P{^(p', u). 

- Case = (piUip2. Recall that, by applying Lemma 3 on u and ly^iUi^j' we have 

\u\-l i-l \u\-l 

P{^iW2,u)= V {Pi<P2,u')A/\P{>pi,U^))V /\ P(^i,w')A(^iU(^2. 

i=0 j=0 4=0 

• Let us suppose that u ■ w \= (pi\J(p2- According to the LTL semantics of operator U, 3k G N-". {u ■ \= 
</j2 A VO < Z < fc. (u • w)^ \= (fii. Let us distinguish two cases: k > \u\ and fc < 

* If A: > then we have in particular VO<Z< — 1. u'-w \^ pi- Applying the structural induction 
hypothesis on ipi and the u''s, we find \fO < I < \u\. w ^ P{ipi,v}), i.e., w ^ A'=o~^ -^("^i' 
From (cr • \= V2 and k > \u\ — 1, we deduce that 3k' > 0. w'^ \= p>2 and k' = k — \u\ -\- 1. 
Furthermore, we haveVO <i<k'. = w ^ P((/?i, u), i.e., w |= ALo ^(v^i' Finally, 

W [= P((^iU(p2,u). 

* If A: < |w| — 1, then from (u ■ wY \= 9^2, we have u'^ ■ w \= p)^. Using the induction hypothesis on 
p>2 and u'^, we have w \= P{ip2,u''). Moreover, using VZ < |fc|. {u ■ wY = v} ■ w \= <pi and the 
induction hypothesis on pi and the m^'s, we obtain VZ < {u ■ wY = w \= P{pi,v}). Finally, we have 
w 1= ALo AP((/?2,w''),andthusi(; ^ P{p-i\Jp2,u). 

• Let us suppose that w \= P{pi\Jp2,u). We distinguish two sub-cases: 
P{pi\Jp2, u) ~ T and P{piJJp2: u) ^ T. 

* Sub-case P{}p\\5p2:U) = T. We distinguish again three sub-cases: 

• Sub-case Vl^tT^ (-P('^2,w*) A /\]^q P{pi,u^)) = T. Necessarily, we have 30 < i < \u\ — 
1. -P(<^2, w')aAj=o -P(Vi, ■"■'■) = T. Otherwise, that would mean that 3ii, ^2 G [0)1^1 — P{V2jU^^)A 
AjtJo^ P{fii'^^) — ~'-P(<^2, w'^) A t\j^Q P{p\,u^) and we would obtain a contradiction. From 
P{p2,u^) A Kj'J^.Pipuu^) = T, we have P(p2,u') = T and K'J^Pipuu^) = T. Using the 
induction hypothesis on px and pi2, we obtain ■ w ^ p2 and VO < j < i. ■ w \= p\. According 
to the LTL semantics of operator U, it means u-w\= pi\Jp2. 

■ Sub-case A1=(7^ P{V1jU^) ^ Vi^'P2 = T. In this case, we have necessarily pi'Up2 = T, and this 
case reduces to the case where p = T. 

■ Sub-case Vl=o"' {Pi'P2,u') A/^p^ Pipi,u^)) ^ T and f\^^J~^ Pipi,u') AipiVip2 + T. We have 
then 

i_i |ti|-i 
V (P(^2,w')A A^(^i'«')) A ^(^i,w*)A^iU^2). 

i=0 j=0 i=0 

Let us suppose that Vi G N-°. (u ■ a) ^ p2- Following the induction hypothesis on p2, it means in 
particular that VO < i < — 1. w ^ P{p2,u'^)- Then, since w \= P{p2^pi2), it would imply that 
w \= a1"'(7^ ^('/'i: wOA!/'iU(/52- But, from w ^ iy9iU(/?2, we would obtain a contradiction according 
to the LTL semantics. Hence, let us consider i the minimal k G N-" s.t. {u ■ w)^ ^ (^2- If * > |w| — 1, 
then similarly we haveu; |= AI^o ^ ^'(y'l, u*) A(/^iU^2- It follows that VO < I < \u\-l. -w 1= i^l 
and V|w,| — 1 <l < i. {u ■ wY h= pi, and thus u ■ w \= pi\Jp2- Else (i < \u\ — 1), we can follow a 
similar reasoning to obtain the expected result. 

* Sub-case P{piJJp2-u) = T. Similarly, in this case, we can show that 3k G N-°. {u ■ w)'' \= p2- Then 
we consider kmin the minimal k s.t. {u ■ w)'' \= p>2. Then, we can show that Vfc' < kmin- {u ■ w)'^ \= pit. 
And then u-w\= i^iUv?2- 

□ 
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Proof for Theorem 1. We shall prove the following statement: 



Mu G E+yjip G LTL. V = P{ip, u) 

^ {v = T u \=s (f = T) A {v = L ^ u \=s (fi = ±). 

The proof uses the definition of the LTL semantics (Definition 1), the definition of good and bad prefixes (Definition 8), 
the progression function (Definition 3), and Lemma 1. 

Proof. According to Lemma 4, we have Vw G E~^.yw G X"". u ■ w \= ip w \= P{(p, u). Consequently, we have 

Vm G S+.Vw eS'^.u-w^ip-^yue S+.yw e S'^.w ^ P{(p, u) and Vm G S+ .Vw e S'^. u ■ w ^ ip ^ 
Vm G S^.\/w G S'^. w ^ -P(<y3, u). Consequently, when P(<^, u) = T, we have Vm G .\/w G Z""'. u ■ w \= ^p, i.e., 
u G good((p). Also, when m) = -L, we have \/u G S^Mw G i^". u • w ^ i.e., u G bad((^). □ 



A.2 Proofs for Section 5 

Proof of Corrolary 1. We shall prove the following statement: 

= 1 ^ Vu G r*.Vv G LTL. u 1=3 V = u t=D V 

Proof. The proof is trivial, since in case of one component in the system, the extended progression rule (1) is reduced 
to its initial definition in the centralised case, i.e., Vp G AP.Ma G E. P{p, a, APi) = P{p, a). Moreover, no past 
goal is generated, i.e., the extended progression rule (2) is never applied. □ 



A.3 Proofs for Section 6 

Let us first formahze a bit more Algorithm L by introducing some additional notation. 

- send(i, i, j) G {true, false} is a predicate indicating whether or not the monitor i sends a formula to monitor j at 
time t with j. 

- send(i, t) G {true, false} is a predicate indicating whether or not the monitor i sends a formula to some monitor 

at time t. 

- kept(i, t) G LTL is the local obhgation kept by monitor i at time t for the next round (time t + 1). 

- received(z, t, j) G LTL is the obligation received by monitor i at time t by monitor j with i ^ j. 

- receivcd(i, t) G LTL is the obligation received by monitor i at time t from all monitors. 

- inlo(i, t, (f) G LTL is the local obligation of monitor i at time t when monitoring the global specification formula 
ip, before applying the progression function!. e, after applying step L3 of Algorithm L. 

- lo(2, t, If) G LTL is the local obligation of monitor i at time t when monitoring the global specification formula ip 
after applying the progression function, i.e, after applying step L4 of Algorithm L. 

- movi{ip) G sus(<y9) is the most urgent formula belonging to the set of urgent subformulae of ip. 

- ulo(i, t, (p) = sus ( \o{i, t, (f)) is the set of urgent local obligation of monitor i at time t when monitoring the 
global specification formula ip. 

Based on the previous notation and Algorithm L, we have the following relations: 

- send(z, t, j) is true if monitor Mj is the first monitor containing the most urgent obligation contained in the local 
obligation of M,, according to the order in [1, m]. Formally: 

send(z t i) = l " P'^oP(ulo(*' ^))) ^ ulo(*' ^) ^ ^ 

^' ' { false otherwise 

- send(z, t) is true if monitor Mj sends his local obligation to some monitor. Formally: send(i, t) = 3j G [1, n] \ 
{i}. send{i,t,j). 

- kept(i, t) G LTL is either # if M, sends its local obhgation to some monitor at time f — 1 or its local obhgation at 
time t — 1 otherwise. Formally: 



kept(i,t) = 



# if3j e[l,n]\{i}.send{i,t-l,j) 

\o{i, t — else 
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- received(i, t, j) is the local obligation of Mj received by Mj at time tilt > 1 and Mj sends actually something 
to Mj. Formally: 

received(i, t,j) = | * " ^' ^ \ i^- -nd(,, t - 1, ^) A t > 1 

- received(i, t) is the conjunction of all obligations received by monitor i from all other monitors at time t. Formally: 

\M\ 

received(i, = received(i,t,j) 

- inlo(i, t, (fi) is 

• at time t>l what was kept by Mi at time t — 1 and the received obligation at time t; 

• at time t = the initial obligation, i.e., the global specification (p. 
Formally: 

' ''''' 1^ kept(i, t- 1) A received(i, t) else 

- lo(«, t, (p) is 

• at time t > 1 the result of progressing what was kept by Mj at time t — 1 and the received obligation at time 
t with the current local event Ui{t); 

• at time t = the result of progressing the initial obligation, i.e., the global specification with the current local 
event Ui(0). 

Formally: 

^ ' ' \ P(kept(i, t-l)A received(i, t),Ui{t), APi) else 
Now, we can clearly state the theorem: 

Vt e N-°.Vv? e LTL.Vi e [1, n].VX^p G ulo(i, t, ip). d < min(n, t + 1) 

Preliminaries to the proof. Let us first start with some remarks. At step L3 in Algorithm L, the local obligation of a 
monitor Mj is defined to be !f \ A AjG[i m] j^i 'Pj where (pj is an obligation received from monitor Mj and p* is the 
local obUgation kept from time t — 1 (if t = 0, <^ • = <p). Let us note that the local obligation kept by the monitor from 
time t — Ito time t, with f > 1, are not urgent. The result should thus be established on the urgent local obligations 
transmitted and rewritten by local monitors. More formally, this is stated by the following lemma. 

Lemma 5. According to Algorithm L, we have: 

\M\ 

ulo(i, (yj) = s\is[P{vecerved{i,t),Ui{t),APi)) 

Proof. First let us notice that the formulae kept by any monitor Mj at any time t are not urgent. Indeed, we have: 
Vie [l,n].Vi gN^°. 



sus(kept(i,t)) 



sus(#) if 3j e [l,n] \ {i}. send{i,t,j) 

sus(lo(z, t — 1, p)) if sus(lo(i, t — 1, (p)) = 



That is Vi G [l,n].Vf > 0. sus(kept(z, t)) = 0. Thus, Vi G [l,n].Vt G N^°.V<p G LTL. 

ulo(i, t, ip) 

= sus (P(received(i, t),Ui{t), AP^)) 

= sus [P{/\^^^1 j^^ieceived{i,t, j),Ui{t), APi)) (definition of received(i, 
= sus ((Aj^i j^i P(received(i, t),Ui{t), APi)) (progression on events) 
= Uj-^i jjti sus (P(received(i, t), Ui{t), APi)) (definition of sus) 
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Another last lemma will be needed before entering specifically into the proof. This lemma states that if a past 

obligation X p is part of a progressed formula, then the past obligation X p is part of its un-progressed form. More 
formally, this is stated by the following lemma. 

Lemma 6. Let us consider M. — {Mi, . . . ,M„} where each monitor Mi has a set of local atomic propositions 
APi = ni{AP) and observes the set of events Si, we have: 

Vi e [Ln].V(j £ e LTL.VX'* e sus (P((^, ct, AP,)) . > 1 ^ X'^'V e sus((p) 

Proof. Let us consider a & S, Si C E. The proof is done by a structural induction on G LTL. 
Base Case: ip e {T, _L,p' G AP} 

- Case <f = T.ln this case, the proof is trivial since P{T, a, APi) = T and sus(T) = 0. 

- Case ip = J-. This case is similar to the previous one. 

- Case ip = p' G AP.lfp' e APi, then P(p', a, APi) G {T, _L} and sus(P(p', a, APi)) = 0. Else (p' ^ APi), 
P{p', a, APi) = Xp' and sus {P{p', a, APi)) = 0. 

d' 

Induction Case: cp G {^^p', ip\ V ipi, (fi A (fi2, X p' , Gip', Fip' , X(yj', (pi'[J(p2}. Our induction hypothesis states that 
the result holds for some formulae ip',ipi,ip2 G LTL. 

- Case (p = -ly'. On one hand, we have 

sus (P(-^', a, APi)) = sus hP{(p', a, APi)) 
= sus{P{ip',a,APi)). 

On the other hand, we have sus(-i(^') = sus{p'). Thus, by applying directly the induction hypothesis on ip', we 
obtain the expected result. 

- Case (p = (fii V (p2. On one hand, we have 

sus (P((pi V ip2, a, APi)) = sus (P{pi,a, AP,) V P((/32, ct, APt)) 

= sus (P((/3l, cr, APi)) U sus (P((^2, Cr, S,)) . 

Thus, X"^ G sus {P{pi Ap2,o-, APi)) implies that X^p G sus (P(</?i, cr, APi)) or X.'^p G sus (P((p2, cr, APi)). 
On the other hand, sus((pi A(/?2) = sus(i^i) Usus(i^2)- Hence, the result can be obtained by applying the induction 
hypothesis on either or<^2 depending on whether X p G sus (P{(pi,a,APi)) orX p G sus (P{ip2,a;APi)). 

- Caset^ = X"^ p' for some rf' G Nandp' G AP. One one hand, if p' G vlPi,thenitimpliesthatP(X''p',0-, AP,) G 
{T, _L}. Else (p' ^ APi), we have P(X'' p', a, APi) = X^ "^V'- On the other hand, we have sus(X'^ p') = 
{X'p'}. 

- Case (p = Gip' . By definition of the progression rule for G and the definition of sus, we have 

sus(P(G^',a,AP,)) 

= sus (P(v3',CT, APi) AGip') 
= sus \p{<p',a,APi)). 

Since ip' is behind a future temporal operator, the only case where sus (P{(p>',a, APi)) 7^ is when ip' is a 

state-formula. In that case, we have X'^p G sus {P{ip', cr, APi)) implies that d= 1. 

- Cases ip G {F(^', X<^', <^iU</?2}. These cases are similar to the previous one. 

□ 

Back to the proof of Theorem 2. We have to prove that for any X^p G LTL, a local obligation of some monitor 
Mi G M, m < min(|A^|, t + 1) at any time t G N-°. We will suppose that there are at least two components in the 
system (otherwise, the proof is trivial), i.e., | | > 2. The proof is done by distinguishing three cases according to the 
value ofi G N^°. 
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First case: t = 0. In this case, we shall prove that m < 1. The proof is done by a structural induction on tp €: LTL. 
Recall that for this case, where f = 0, we have V« e [1, \M\]. lo{i, 0, ip) = P{ip, Ui{0),APi). 

Base case: if e {T, -L,p £ AP}. 

- Case if = T.ln this case we have Vi e [1, |A^|]. lo(i, 0, T) = P(T, Ui{0), APi) = T. Moreover, sus(T) = 0. 

- Case ip = -L. This case is symmetrical to the previous one. 

- Case ip = p G AP. We distinguish two cases: p e APi and p ^ APi. If p e APi, then lo{i, 0,p) € {T, _L} and 
sus ( lo{i, 0,p)) = 0. Else (p ^ APi), we have lo(i, 0,p) = Xp, and sus ( \o{i, 0,p)) = {Xp} = {X^p}. 

Structural Induction Case: ip G {-'</'', </5i V ip2, ^pi A (p2, G(p' , Fip', X(^', (pi\J(p2}. Our induction hypothesis states 
that the result holds for some formulae p',(pi,(p2 € LTL. 

- Case (p = ipi \/ (p2. We have: 

lo(i,0, (/5i V (p2) 

= P{pi V ip2, ■Ui(O), AP,) (lo definition for t = 0) 

= P{pi,Ui{0), APi) V P{(p2,Ui{Q), APi) (progression on events) 
= lo(i, 0, (pi) V lo(i, 0, (P2) (lo definition for t = 0) 

sus ( lo(z, 0, V(/?2)) 

= sus ( lo(i, 0, pi) V lo(i, 0, (P2)) 

= sus ( lo(i, 0, pi)) U sus ( \o{i, 0, (^2)) (sus definition) 

We can apply the induction hypothesis on (pi and ip2 to obtain successively: 

yt > N^o.V(/? e LTL.VX^p G sus (lo(i,t, m < 1 
> N^^.Wip G LTL.VX"p G sus ( \o{i, t, ^2)) ■m<l 
yt > N^o.V(p G LTL.VX^p G sus ( lo{i, t, ipi)) U sus ( lo(i, t, (^2)) • m < 1 

- Case <p = -><^'. We have: 

lo(i, 0, -^p>') = P{^(p', u,{0), AP,) (lo definition) 

= -iP((/3', Ui{0), APi) (progression on events) 
sus ( lo(i, 0, -.V?')) = sus hP{p>', UiiO), AP,)) 

= sus (P{p}' , Ui (0) , APi)) (sus definition) 
= sus ( lo(i, 0, (/?')) 

- Case p} = yip' . We have: 

lo(i,0,X9j') = P(Xv5',Wi(0),APi) (lo definition) 

= ip' (progression on events) 

sus ( lo(i, 0, X(p')) = sus(<p') 

Since ip' is behind a future temporal operator, we have sus((/3') = 0. 

- Case ip = Gip'. We have: 

lo(i, 0, Gip') = P{Gip', Ui{0), APi) (lo definition) 

= P{p', Ui{0), APi) A Gip' (progression on events) 
= lo(i, 0, ip') A Gip' (lo definition for ip') 

sus ( lo(i, 0, Gip')) = sus ( lo{i, 0, cp') A Gip') 

= sus ( lo(i, 0, p')) U sus(Giy?') (sus definition) 
= sus ( lo(i, 0, p')) (sus(G^') = 0) 

- Case p = Fip'. This case is similar to the previous one. 
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- Case if = ipiXJip2. We have: 

lo(i,0, (^iU<^2) 
(lo definition) 

(progression on events) 

= P{ip2,u,{0),AP,) V {P{ipi,Ui{0),APi) AipilJip2) 
(lo definition for ipi and ip2) 

= lo(i, 0, ip2) V lo{i, 0, (fi) A <y?iU<^2 

SUS (lo(z,0, ^iU<^2)) 

= SUS ( lo{i, 0, ipi) V lo(i, 0, ip2) A (/5iU(^2) 
(sus definition) 

= SUS ( lo(z, 0, ^2)) U SUS ( \o{i, 0, (pi)) U sus(<^iU(p2) 
(sus(<^iUy2 = 0) 

= sus ( lo(i, 0, 1^2)) U sus ( lo(i, 0, <^i)) 

For t > 1, the proof is done by reductio ad absurdum. Let us consider some t € N and suppose that the theorem does 
not hold at time t. It means that: 

3lp g LTL.3i G [1, \M\]3K^p G ulo(i,t,(p). d > min(|A^|,t + 1). 

According to Lemma 5, since ulo(i, = IJ^'^-^ sus (P(received(i,t),Uj(t))), it means that 3ji G [1,|A^|]\ 

{ij.X^p G sus (P(received(i,f,ji),Ui(t),^Pi)). Using Lemma 6, we have G sus(received(i,t, j'l)). It 

implies that send(ji, t —!,«) = true and Adi = Men (-Mj^ , Prop(ulo(ji, t — 1, 1^9))). We deduce that i = min {j G 

, d 

[1, \ {ji} I 3p G Prop(ulo(j, t - 1, </?)). p G APjj. Moreover, from X p G ulo(i, t, ly?), we findp ^ ^Pis with 
i < i'. 

We can apply the same reasoning on X p to find that i < ji < i' and p ^ 11 {AP). Following the same 
reasoning and using Lemma 6, we can find a set of indexes {ji,. . . , j^} s.t. 

{ji,...,M}2[l,\M\] 
A Vi G {ji, . . . ,jd}-P^ APj AjG [1, \M\] 

Moreover, due to the ordering between components, we know that VAii , A;2 G [1, rf] . fci < ^2 => jhi < jk2 ■ 

Case <t < \M\. In this case we have d> t+1, and thus, we have X'' p G sus ( lo(jt, 0, with d' > 1 which is 
a contradiction with the result shown for t = 0. 

Case t > \M\. In this case, \/ki,k2 G [1, d]. ki < k2 ^ jki < jfe implies that Vj^j , j/c^ G {ji, . . . ,jd}- ki ^ k2 ^ 
jki 7^ jk2 ■ Hence, we have p ^ U^lji ^Pj 2 AP. This is impossible. □ 

Proof of Theorem 3. We shall prove that the decentralised monitoring algorithm is sound, i.e., whenever the decen- 
tralised monitoring algorithm yields a verdict for a given trace, then the corresponding centralized algorithm yields the 
same verdicts. 

Some intermediate lemmas. Before proving the main result of this paper, we introduce some intermediate lemmas. 
The following lemma extends Lemma 1 to the decentrahsed case, i.e., it states that the progression function mimics 
LTL semantics in the decentralised case. 

Lemma 7. Let ip be an LTL formula, a G U an event, CTj a local event observed by monitor Mi, and w an infinite 
trace, we have a • w \= (p {a • w)^ \= P{ip, Oi, Si). 
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Proof. We shall prove that: 



Vi G [1, n]. V<^ G LTL.Vo- G S.^iai G Si-^iw G T". 

a-w\=ip^{a-wY\= P{(p, (Ti, APi). 

The proof is done by induction on the formula (p G LTL. Notice that when is not an atomic proposition, the lemma 
reduces to Lemma 1. Thus, we just need to treat the case (p = p E AP. 

If (p — p E AP. We have a-w\=p'^pEa. Let us consider i e [1, n], according to the definition of the 
progression function (1): 

{T ifpG CTi, 
-L ifp(^aiApeAP„ 
Xp otherwise. 

Let us distinguish three cases. 

- Supposep G cTj. On one hand, we have p G cr and then u • w ^ p. On the other hand, we have P(p, cTj, AP,) = T 
and thus w \= P{p, ai, APi). 

- Suppose p ^ (7i and p G APi. One one hand, we have p £ a, and, because p G APi we have p ^ ct; and thus 
fT • w ^ p. On the other hand, we have P(p, a, , AP^ )=-!-• 

- Suppose p ^ (Ji and p ^ APi, we have [a -wY \= Xp <S4> ((cr • w)~^)^ \= Xp cr • w ^ p. 

□ 

The following lenmia states that "the satisfaction of an LTL formula" is propagated by the decentralised monitoring 
algorithm. 

Lemma 8. 

Vt G N^iO.Vi G [1, n].Vv? G LTL.Vw G Z"^. 

inlo(i, t, p) ^ => w \= (p 4^ w* \= inlo(i, t, ip) 

Proof. The proof is done by induction on t G N-°. 

- For t = 0, the proof is trivial since Vi G [1, n].V(/5 G LTL. inlo(i, Q,(p) = (p and w° = w. 

- Let us consider some t G N-° and suppose that the lemma holds. Let us consider i G [1, n], we have: 

inlo(i, t + l,(p)= kept(«, t) A received(l, t + 1). 

Let us now distinguish four cases according to the communication performed by local monitors at the end of time 
t, i.e., according to send(z, t) and send(j, t, i), for j G [1, n] \ {«}• 
• If send(i, t) = false and 3j G [1, n\ \ {i}. send(j, t, i) = true. Then, we have: 

inlo(z, t + l,(p) = P(inlo(z, t,(p) A inlo(j, t, p>), Ui{t + 1), Ei). 

jeJ 

where Vj G J. send(j, t, i) = true. Applying the definition of the progression function, we have: 

inlo(i, t+l,ip) 

= P( inlo(i, t, ip),Ui{t + 1), Ei) A Ajej P{ inlo(i, t, <p), Ui{t + 1), Si). 

Now, we have: 

w*+^ \= inlo(i,i + 1,<^) 
<^ 

h P{ inlo(?.. t ■p)^u,{t + I). Si)) 
a(Vj G J. ^P{iTAo{j,t,ip),Ui{t + l),Si)) 
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With: 

^ P{in\oii,t,ip),u,{t + 1), Ei) 
^(u,t)i ^P{mloii,t,ip),Ui{t + l),Si) K+i = (w*)i) 

4^ {w{t) ■ h P(inlo(i,i,vp),Ui(t+ = • w'+^)^) 

1= inlo(i, ip) (Induction Hypothesis) 

And similarly: 
It follows that: 

1= inlo(i, t + l,ip) 4^ \= inlo(i, t,ip) A \= inlo(i, <^). 

And finally: 

1= inlo(i, t + l,ip) \= m\o{i, t, ip). 

• If send(i, t) = true and 3j G [1, n] \ {i}. sond(j, t, i) — true. Then, we have: 

inlo(i, t+l,'fi) = P{ij= A Ajej inlo(j, t, Lp), u,{t + I), Si) 
= P{ Ajej inloO', t, ^),u,it + 

where Vj € J. send(j, t, i) = true. The previous reasoning can be followed in the same manner to obtain the 
expected result. 

• If send(i, t) = false and Vj e [1, ti] \ {i}. send(j, t, i) = false. Then, we have: 

inlo(i,t + 1,!^) = P[mlo{i,t,(p),Ui{t + I), Si). 

The previous reasoning can be followed in the exact same manner to obtain the expected result. 

• If send(i, t) = true and Vj G [1, \ {i}- send(j, t, i) = true. Then, we have: 

inlo(i, t + l,if) = P(#, Ui{t + l),Si) = # 
In this case, the result holds vacuously. 

□ 

Back to the proof of Theorem 3. The soundness of Algorithm L is now a straightforward consequence of the two 
previous lemmas (Lemmas 7 and 8). Indeed, let us consider u & S* s.t. |u| = t. We have u\=d ^ = T implies that 

3i <E [1, n]. \o{i. t,!p) = T and then inlo(i, t + l,(p) = T. It implies that \/w G S'^ . w |= inlo(i, t + 1, (p). Since 
\u\ = t, it follows that e S'^. {u ■ w)* |= inlo(z, t+l,(p). Applying Lemma 8, we have G S^ . u-w \= cp, i.e., 
u\=3ip = T. 

The proof for u \=d <p = T =^ u \=3 (p = T is similar. □ 

Proof of Theorem 4. Let us first define some notations. Consider ip G LTL, u G S^, i G [1, |A1|]: 

- rp(<^, u) is the formula (p where past sub-formulas are removed and replaced by their evaluations using the trace 
u. Formally: 

rp((^, u, i) = match ip with 

j^d ^ (T if pGu{\u\-d) 

[ ± otherwise 
\ipi Aip2 rp(v3i, w) A rp((p2, w) 
I V </92 rp{(pi,u) V rp((^2, u) 
I -.y' ^ -. rp((^', u) 
I - 
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- rp{ip, u, i) is the formula (p where past sub-formulas are removed (if possible) and replaced by their evaluations 
using only the sub-trace Ui of u. 

rp((^, u, i) = match ip with 

{T if p ^ u{\u\ - d) 
L if p^u{\u\-d)3isvAp&APi 
X p otherwise 
I </fi A (p2 rp((^i, u, i) A rp((^2, w, i) 
I (^1 Vi^2 rp(<^i,u,i) Vrp((p2,w,i) 
I ~^ ~'rp(</'', w, 

I - -^V 

The following lemma exhibits some straightforward properties of the function rp. 

Lemma 9. Let ip be an LTL formula, u € be a trace of length t + 1, i G [1, \M.\] a monitor of one of the 
component, Ui{t) e Si the last event ofu on component i, we have: 

1. rp {P{p, (ji, APi), u) = rp (P(rp(<y5, u(0) ■■■u{t- 1)), ai, APi), u); 

2. rp {P{ip,a,,AP,),u) = P{ip,u{t), AP); 

3. Pip, u,{t),APi) = P( rp(vJ, «(0) ■■■u{t- 1), i), Ui{t), APi); 
Uv'esus(v) Prop((^') C APi =^ Tp{<p,u,i) = rp{<p,u). 

5. For{ii,...,in} = [1, |A1|].Tp(rp(. . .rp(<^,u,ii), .. = rp(<^,u). 

Proof The proofs of these properties can be done by induction onp € LTL and follow directly from the definitions 
of rp and the progression function. □ 

Lemma 10. Any current local obligation where past sub-formulas have been evaluated using the trace read so far is 
equal to the initial obligation progressed with this same trace read so far. Formally: 

VwGi:+.ViG [l,|A^|].Vt gN*. 

\u\=t-\-l A lo(i, t,(p) ^ # => rp(lo(i, t, <p),u) = P{p, u). 

Proof. We shall prove this lemma by induction on t G N* . Let us consider some component Mj where i G [1 , | 1 ] . 

- Fort = 0. In this case, |u| = 1 andwehaverp(lo(i, 0, m) = rp (^P{ip,ai,APi)) where cTj = i7(u(0)). Wecan 
obtain the expected result by doing an induction onp E LTL where the only case interesting case is ip = p € AP. 
According to the definition of the progression function, we have: 

{T ifpGfTi, 
-L if p(^ a. Ape APi, 
X.p otherwise, 

Moreover, p G cTj implies p G ■u(O) andp ^ cr, withp G APi implies Vj G [1, \M\]. p ^ i7j(u(0)), i.e., p ^ u{0). 
On one hand, according to the definition of rp, we have: 

T ifpGu(O), 
_L if p ^ u{0). 



rp(Xp,«(0)) 



Thus, we have: 

rp(P(p,...AP,) = {J;f^"(»); 



P(<^,w(0)) 



On the other hand, according to the definition of the progression function, we have: 

T ifp€u{0), 
_L if j3 ^ u(0). 

- Let us consider some t gW and suppose that the property holds. We have: 

lo{i,t + l,ip) = P(kept{i,t) ATeceived{i,t),Ui{t + l),APi). 

Similarly to the proof of Lennma 8, let us distinguish four cases according to the communication that occurred at 
the end of time t. 
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• If send(i, t) = false and Vj e [1, \A4\] \ {i}. send(j, t, i) = false. Then, we have: 

lo{i, t + l,<fi) = P{lo{i, tip), Ui{t + 1), APi) 
Let us now compute rp(lo(i, i + 1, 95), m(0) • ■ • u{t + 1)): 

rp(lo(i, t + l, tp),u{Q) ■■■u{t+ 1)) = rp(P(lo(i, t, if), Ui{t + 1), APi),u{0) ■■■u{t + 1)) 

(Lemma 9, item 1) 

^ rp(P(rp(lo(i, t, ip), u{0) ■ ■ ■ u{t)), Ui{t + 1), APi),u{0) ■■■u{t+ 1)) 
(induction hypothesis) 

= rp(P(P((p, u(0) • • • u{t)), Ui{t + 1), APi), u(0) ■■■u{t + 1)) 
(Lemma 9, item 2) 

= P{P{^, m(0) • • • u{t)), u{t + 1), AP) 
{P{ip, 'u(O) • • • u{t)) is a future formula) 
= P{ip,u{Q)---u{t+l)) 

• If send(i, t) = true and 3j e [1, \ {i}. send(j, t, i) = true. Then, we have: 

\o{i{i, t + l,ip) = P{/\ lo(j, t^),u,{t + 1), APi) 

s.t. Vj e J. send(j, i) = true. Then: 

rp(lo(i, t + l, if), u{0) ■■■u{t + 1)) 

= rp(P(A,e J lo(i, tip), Ui{t + 1), APi), u(0) ■■■u{t + 1)) 
(definition of the progression function) 

= rp(A,e J P(lo(j, tip), Ui{t + I), APi), m(0) ■■■u{t+ 1)) 
(definition of rp) 

= A,e,/ rp(P(lo(.7, tip), Ui{t + l),APi), u{0) ■■■u{t + 1)) 
(Lemma 9, item 1) 

= A,6j rp(P(rp(lo(j, tip), uiO) ■ ■ ■ u{t)), u^{t + 1), APi), u(0) ■■■u{t+ 1)) 
(induction hypothesis) 

= A,-£ J rp(P(P(^, w(0) • • • u(t)), Ui{t + l),APi),u{0) ■■■u{t+ 1)) 
(Lemma 9, item 2) 

= A^^jTp{Pi^,u{0)---u{t)-u{t+l))) 
iP{ip, u{0) ■ ■ ■ u{t + 1)) is a future formula) 

= A,e,/ P{V. w(0) • • • M(t + 1)) = P(^, m(0) + 1)) 

• If send(i, t) = false and 3j G [1, \ {i}. send(j, i) = true. Then, we have: 

\o{i, t + l,^)= P{\o{i, t, p) A A,e.7 lo(i, t, p),u,{t + 1), AP,) 

= P( lo(z, t, ip),Ui{t + 1), AP,) A P( A,ej lo(j, (^), u,{t + I), APi) 

where Vj € J. send(j, i) = true. The proof this case is just a combination of the proofs of the two previous 

cases. 

• If send(i, t) = true and Vj € [1, \ A4\] \ {i}. send(j, t, i) = false. Then, we have: lo{i, t + l,(p) = #. The 
result holds vacuously. 

□ 

Back to the proof of Theorem 4. The remainder of the proof consists intuitively in showing that in a given architecture, 
we can take successively two components and merge them to obtain an equivalent architecture in the sense that they 
produce the same verdicts. The difference is that if in the merged architecture a verdict is emitted, then, in the non- 
merged architecture the same verdict wiU be produced with an additional delay. 
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Lemma 11. In a two-component architecture, if in the centralised case a verdict is produced for some trace u, then, 
in the decentralised case, one of the monitor will produce the same verdict. Formally: 

Vif e LTL.Vu e P{cp,u) = T/_L =^ Va e I!*3i G [1,2]. \o{i, \u ■ a^f) = T/_L. 

Proof. Let us consider a formula (f G LTL and a trace u G 17+ s.t. |u| = t. We shall only consider the case where 
P{(f,u) = T. The other case is symmetrical. Let us suppose that \o{l,t,(p) ^ T and lo(2,t, (p) ^ T (otherwise 
the results holds immediately). Because of the correctness of the algorithm (Theorem 3), we know that lo(l, ^p) ^ 
_L and lo(2,i, ^ _L. Moreover, according to Lemma 10, we have necessarily that \o{\,t.Lp) and lo(2,t, are 
urgent formulas: T(lo(l, t, (^)) > and T(lo(2, t, (f)) > 0. Since, there are only two components in the considered 

architecture, we have U^'esus(io(i,t,v>)) Prop(v') ^ AP2 and U^'esus(io(2,t,v>)) Pi'op('/^') ^ APi. According to 
Algorithm L, we have then scnd(l, t — 1, 2) = true and scnd(2, t ~ l,(p) — true. Then inlo(l, t, tp) = lo(2, t — 
1, V?) A # = lo(2, t - 1, ip). Hence: lo(l, i, (p) = -P(lo(2, t - \, ip), ui{t), APi). According to Lemma 9 item 4, we 
havelo(l,i,<^) = P{ip{\o{2,t - l,p),u{0) ■ ■ ■ u{t),l),ui{t),APi). Since 

IJ Prop(^') C APi, 

ip'esus{lo{2,t,ip)) 

wehaverp (lo(2,f- l,ip),u{0) ■ ■■u{t), l) = rp(lo(2,< - l,(^),'u(0) • •■ It follows that: 

lo(l, t, <p) = P(rp(lo(2, t - 1, (^), u{0) ■ ■ ■ u{t)), ui{t), APi) 

= P{P{ip, u(0) • • • u(t)),ui{t), APi) (Lenmia 10) 

= P(T,wi(i),APi) = T 

Synometrically, we can find that lo(2, t, ip) =T. □ 

Given two components Ci and C2 with two monitors attached Mi and M2 observing respectively two partial traces 
ui and U2 of some global trace u. The alphabets of Ci and C2 are Si and S2 respectively. Consider the architecture 
C = {Ci, C'2} with the set of monitors M = {Mi, M2}. Let us define the new component mcrgc(Ci, C2) that 
produces events in Ei U E2. To the component merge(Ci, C2) is attached a monitor M observing events in the same 
alphabet. Now let us consider the architecture C = {merge(Ci , C2)} which is a one-component architecture with the 
set of monitors Ai' = {merge(Mi, M2)}. 

We can parameterise the satisfaction relation of LTL formula according to the considered architecture. The relation 
1= D becomes \=-^ where M. is the considered architecture. The definition of \=-^ is the same as the definition of\=D 
(Definition 6). 

Lemma 12. For a monitoring architecture ^A = {Mi, M2} and the monitoring architecture A4' = {merge(Mi, M2)} 
where monitors of Ai have been merged, we have: 

Vw G r+.Vy' G LTL. u\=^ 'p = T/_L eS+.u-a \=^' ^ = T/_L. 

Proof. This is a direct consequence of Lemma 1 1 and Corollary 1. Indeed, AI' is a one-component architecture, thus 
u \=-^ p = T /I. implies u p = T/±, i.e., P{p, u) = T/±. Now, since is a two-component architecture, 
using Lemma 11, for all a G S, there exists i G [1, \ A4\] s.t. lo{i, |u • f7|, = T/_L. That is u ■ a ip> = -L/T. □ 

The following lemma relates verdict production in a n-component architecture and in the same architecture where the 

two components with the lowest priority have been merged. 

Lemma 13. Let Ai be a n-component architecture, with n > 2 such that the priority between components is Mi < 
M2 < . . . < Mn, i.e., Ml and M2 are the two components with the lowest priority^. Let us consider the architecture 
Ad' = {merge(Mi, M2), M3, . . . , M„}, then we have: 

Vu G E+.ycp G LTL. u \=^' ip = T/_L ^ Vct G u • cr |=^= T/_L. 

* Here, without loss of generality, we assume that monitors have been sorted according to their index. If this hypothesis does not 
hold initially, the indexes of components can be re-arranged so that this hypothesis holds. 
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Proof. We give a proof for the case where the verdict is T (the other case is symmetrical). Let us consider u S 
, ip e LTL s.t. u ip = T. Let u' be the smallest prefix of u s.t. P(</?, u') = T. From the theorem about the 
maximal delay (Theorem 2, we have that |u| — < (n — 1). Now each of the local obligations in the architecture 
M' will transit through at most n monitors following the ordering between components. That is, in the worst case 
(i.e., if a verdict is not produced before time any obligation will be progressed according to all components. More 
precisely, each time a local obligation is progressed on some component Cj, past obligations w.r.t. component Cj are 
removed (Lemma 9 - item 3). Using the compositionality of rp and the progression function on conjunction, in the 
worst case the local obUgation at time \u'\ +n will be a conjunction of formulas of the form 

P{ 
...P( 

P(rp(- • •rp(rp((p,u',i),w',ii) • • • ,u' ,in),Ui{\u'\), APi) 
,Ui,{\u'\ + l,APi,), 

' ' ' 1 

Uin{\u'\+n),APi^) 

where y is a local obligation at time \u'\ and in) 2 [1, \^A'\\ (because of the ordering between components). 

Now according to Lenmia 9 - item 5: 

rp(- • • rp(rp((/3, u' , i),u' ■ ■ ■ , i„) = rp{ip, u') = T. 

Following the definition of the progression function for T, we have that necessarily, the resulting local obligation at 
time + nis T. □ 

Lemma 14. Let M be a n-component architecture, with n > 2 such that the priority between components is M\ < 
M2 < . . . < Mn- Let us consider the architecture M.' = {merge(M„, merge(. . . , merge(-M2, Mi)}, then we have: 

Vm G E+.\/ip G LTL. u \=^' if = T/_L ^ V«' G U+. \u'\ >n^u-u' T/_L. 
Proof. By an easy induction on the number of components merged using Lemma 13. □ 

Back to the proof of Theorem 4. Based on the previous results, we can easily show Theorem 4. 

Proof. Let us consider an n-component architecture M. = {M\, . . . , Mn}, a trace u G and a formula (p G LTL. 
Let us suppose that u \=3 (p = T/_L. As the alphabets of monitors are respectively Ei,. . .Sn and each monitor Mj 
is observing a sub-trace Ui of u where the hypothesis about alphabets partitionning mentioned in Section 2 holds, we 
can consider the architecture A4' = {merge(M„, merge(. . . , merge(M2, Mi)} where there is a unique monitor M 
observing the same trace u. Now, since A4' is a one-component architecture, from u |=3 = T/_L, by Corollary 1 
we get u |=D If = T/_L. Using Lemma 13, we obtain that Vu' G u ■ u' \=^= T/_L. □ 
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